Rhysida

Threat Actor updated 19 hours ago (2024-11-20T17:34:48.439Z)

Download STIX

Preview STIX

Rhysida is a globally active threat actor known for its ransomware operations, which have impacted a wide range of sectors, particularly the government and public sector. Their use of CleanUpLoader makes their operations highly effective and difficult to detect, as it not only facilitates persistence but also enables Rhysida actors to exfiltrate valuable data before deploying the ransomware. High-profile breaches include the attack on King Edward VII’s Hospital in London in 2023, where Rhysida claimed to have stolen sensitive information from hospital staff and patients, including members of the British royal family. Additionally, attacks on the Chilean Army and the City of Columbus demonstrate Rhysida's ability to infiltrate critical public sector infrastructures. The group uses various infiltration and lateral movement methods such as transferring ransomware over HTTP/S and emailing ransomware as a compressed attachment. These tactics were identified in SafeBreach's coverage of Rhysida's actions, specifically in reports #9075, #9074, #9077, and #9076. The sophistication of Rhysida’s operations means that defending against this ransomware requires a proactive and intelligence-driven approach. By understanding Rhysida’s tactics, security teams can implement more effective defensive strategies to mitigate the impact of this and other advanced ransomware families. Monitoring Rhysida’s infrastructure, including typosquatting domains and CleanUpLoader C2 servers, has been key in detecting their activities. The Insikt Group found that Rhysida victims could be detected on average 30 days before appearing on public extortion sites, indicating an opportunity for early intervention. Given the significant threat Rhysida poses across industries, it is crucial for organizations to maintain vigilant cybersecurity practices and stay updated on Rhysida's evolving tactics.

Description last updated: 2024-11-15T16:18:59.638Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Vice Society is a possible alias for Rhysida. Vice Society, a threat actor or hacking team with malicious intent, has been active since 2022 and has made significant waves in the cybersecurity world. The group is known for deploying various forms of ransomware, including BlackCat, Quantum Locker, Zeppelin, and their own branded variant of Zeppe	7

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Ransom

Malware

RaaS

Extortion

Lateral Move...

Bitcoin

Windows

Vulnerability

Encryption

Data Leak

Phishing

Payload

Locker

Ransomware P...

Exploit

Cybercrime

Medical

Healthcare

Health

Hse

Fortiguard

Cobalt Strike

Exploits

Encrypt

Spyware

Hospitals

Linux

Zero Day

Github

Apt

Backdoor

Kaspersky

Vpn

t1021.004

t1003.003

t1070.001

CISA

Tool

British

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Rhysida Ransomware Malware is associated with Rhysida. The Rhysida ransomware, a malicious software known for exploiting and damaging computer systems, has been actively disrupting cybersecurity since May 2023. This malware infects systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal pe	Unspecified	12
The Lockbit Malware is associated with Rhysida. LockBit is a malicious software, or malware, known for its damaging and exploitative functions. It infiltrates systems via dubious downloads, emails, or websites, often without the user's knowledge, and can steal personal information, disrupt operations, or hold data hostage for ransom. The LockBit	Unspecified	5
The Systembc Malware is associated with Rhysida. SystemBC is a type of malware, or malicious software, known for its disruptive and exploitative nature. It infiltrates systems through dubious downloads, emails, or websites, often unbeknownst to the user. Once embedded, it can steal personal information, interrupt operations, or hold data hostage f	Unspecified	2
The 3am Malware is associated with Rhysida. 3AM is a new ransomware family that emerged in the cyber threat landscape, as discovered by Symantec's Threat Hunter Team in September 2023. This malicious software, written in Rust, is designed to exploit and damage computer systems, often infiltrating them without the user's knowledge through susp	Unspecified	2
The Clop Malware is associated with Rhysida. Clop, a malicious software (malware), is linked to a Russian-speaking cybercriminal group also known as Cl0p. It is designed to exploit and damage computer systems by stealing personal information, disrupting operations, or holding data hostage for ransom. In May 2023, the Clop group began exploitin	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Alphv Threat Actor is associated with Rhysida. Alphv, also known as BlackCat, is a notable threat actor in the cybersecurity landscape. Originating from Russia, this cybercriminal group has been involved in multiple high-profile ransomware attacks, specifically targeting healthcare providers. They gained significant attention after stealing 5TB	Unspecified	5
The Medusa Threat Actor is associated with Rhysida. Medusa, a threat actor group known for its malicious activities, has been increasingly involved in multiple high-profile cyber attacks. In November 2023, Medusa and other groups like LockBit and ALPHV (BlackCat) exploited a zero-day vulnerability, the Citrix Bleed (CVE-2023-4966), leading to numerou	Unspecified	2
The Bianlian Threat Actor is associated with Rhysida. BianLian is a threat actor group known for its malicious activities, primarily involving ransomware attacks. The group has been particularly active in 2024, exploiting bugs in JetBrains TeamCity software to launch its attacks. This method of attack has caused significant disruptions and data breache	Unspecified	2

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The Zerologon Vulnerability is associated with Rhysida. Zerologon, officially known as CVE-2020-1472, is a critical vulnerability within Microsoft's Netlogon Remote Protocol. This flaw allows attackers to bypass authentication mechanisms and alter computer passwords within a domain controller's Active Directory, enabling them to escalate privileges to do	Unspecified	2
The CVE-2020-1472 Vulnerability is associated with Rhysida. CVE-2020-1472, also known as the "ZeroLogon" vulnerability, is a critical-severity flaw in Microsoft's Netlogon Remote Protocol. This vulnerability, which was patched on August 11, 2020, allows attackers to escalate privileges and gain administrative access to a Windows domain controller without any	Exploited	2

Source Document References

Information about the Rhysida Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
BankInfoSecurity	a month ago	Rhysida Leaks Nursing Home Data, Demands $1.5M From Axis
Recorded Future	a month ago	Outmaneuvering Rhysida: How Advanced Threat Intelligence Shields Critical Infrastructure from Ransomware
BankInfoSecurity	14 days ago	Breach Roundup: Chinese Cyberespionage Using Open Source VPN
Securityaffairs	16 days ago	July 2024 ransomware attack on the City of Columbus impacted 500,000 people
InfoSecurity-magazine	17 days ago	Columbus Ransomware Attack Exposes Data of 500,000 Residents
BankInfoSecurity	a month ago	BianLian Ransomware Gang Claims Heist of Pediatric Data
Checkpoint	a month ago	14th October – Threat Intelligence Report - Check Point Research
BankInfoSecurity	2 months ago	'Vanilla Tempest' Now Using INC Ransomware in Health Sector
Securityaffairs	2 months ago	The Vanilla Tempest cybercrime gang used INC ransomware for the first time in attacks on the healthcare sector
DARKReading	2 months ago	Vice Society Uses Inc Ransomware in Healthcare Attack
Securityaffairs	2 months ago	Port of Seattle confirmed that Rhysida ransomware gang was behind the August attack
BankInfoSecurity	3 months ago	RansomHub Claims Theft of Montana Planned Parenthood Data
DARKReading	3 months ago	City of Columbus Sues Researcher After Ransomware Attack
Malwarebytes	3 months ago	City of Columbus tries to silence security researcher \| Malwarebytes
InfoSecurity-magazine	3 months ago	Healthcare Hit by a Fifth of Ransomware Incidents
Securityaffairs	3 months ago	Rhysida Ransomware gang claims the hack of Bayhealth Hospital
CERT-EU	a year ago	‘This experience has been extremely distressing’: Insomniac shares a statement in response to catastrophic ransomware attack, including hopes for Wolverine’s future \| #ransomware \| #cybercrime
Securityaffairs	4 months ago	MarineMax data breach impacted over 123,000 individuals
BankInfoSecurity	4 months ago	What's the Best Strategy for Exploiting Flaws in Ransomware?
BankInfoSecurity	5 months ago	Children's Hospital Notifies 800,000 of Data Theft in Attack