Rhysida

Threat Actor updated 22 days ago (2024-11-29T14:02:14.415Z)

Download STIX

Preview STIX

Rhysida is a globally active threat actor known for its ransomware operations, which have impacted a wide range of sectors, particularly the government and public sector. Their use of CleanUpLoader makes their operations highly effective and difficult to detect, as it not only facilitates persistence but also enables Rhysida actors to exfiltrate valuable data before deploying the ransomware. High-profile breaches include the attack on King Edward VII’s Hospital in London in 2023, where Rhysida claimed to have stolen sensitive information from hospital staff and patients, including members of the British royal family. Additionally, attacks on the Chilean Army and the City of Columbus demonstrate Rhysida's ability to infiltrate critical public sector infrastructures. The group uses various infiltration and lateral movement methods such as transferring ransomware over HTTP/S and emailing ransomware as a compressed attachment. These tactics were identified in SafeBreach's coverage of Rhysida's actions, specifically in reports #9075, #9074, #9077, and #9076. The sophistication of Rhysida’s operations means that defending against this ransomware requires a proactive and intelligence-driven approach. By understanding Rhysida’s tactics, security teams can implement more effective defensive strategies to mitigate the impact of this and other advanced ransomware families. Monitoring Rhysida’s infrastructure, including typosquatting domains and CleanUpLoader C2 servers, has been key in detecting their activities. The Insikt Group found that Rhysida victims could be detected on average 30 days before appearing on public extortion sites, indicating an opportunity for early intervention. Given the significant threat Rhysida poses across industries, it is crucial for organizations to maintain vigilant cybersecurity practices and stay updated on Rhysida's evolving tactics.

Description last updated: 2024-11-15T16:18:59.638Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Vice Society is a possible alias for Rhysida. Vice Society, a threat actor or hacking team with malicious intent, has been active since 2022 and has made significant waves in the cybersecurity world. The group is known for deploying various forms of ransomware, including BlackCat, Quantum Locker, Zeppelin, and their own branded variant of Zeppe	7

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Ransom

Malware

RaaS

Extortion

Lateral Move...

Bitcoin

Windows

Vulnerability

Encryption

Data Leak

Phishing

Payload

Locker

Ransomware P...

Exploit

Cybercrime

Medical

Healthcare

Health

Hse

Fortiguard

Cobalt Strike

Exploits

Encrypt

Spyware

Hospitals

Linux

Zero Day

Github

Apt

Backdoor

Kaspersky

Vpn

t1021.004

t1003.003

t1070.001

CISA

Tool

British

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Rhysida Ransomware Malware is associated with Rhysida. The Rhysida ransomware, a malicious software known for exploiting and damaging computer systems, has been actively disrupting cybersecurity since May 2023. This malware infects systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal pe	Unspecified	12
The Lockbit Malware is associated with Rhysida. LockBit is a prominent ransomware-as-a-service (RaaS) malware that has been involved in numerous cyberattacks, demonstrating its staying power and adaptability. The malware, which can infiltrate systems through suspicious downloads, emails, or websites, is designed to exploit and damage computers or	Unspecified	5
The Systembc Malware is associated with Rhysida. SystemBC is a type of malware, or malicious software, known for its disruptive and exploitative nature. It infiltrates systems through dubious downloads, emails, or websites, often unbeknownst to the user. Once embedded, it can steal personal information, interrupt operations, or hold data hostage f	Unspecified	2
The 3am Malware is associated with Rhysida. 3AM is a new ransomware family that emerged in the cyber threat landscape, as discovered by Symantec's Threat Hunter Team in September 2023. This malicious software, written in Rust, is designed to exploit and damage computer systems, often infiltrating them without the user's knowledge through susp	Unspecified	2
The Clop Malware is associated with Rhysida. Clop, a malicious software (malware), is linked to a Russian-speaking cybercriminal group also known as Cl0p. It is designed to exploit and damage computer systems by stealing personal information, disrupting operations, or holding data hostage for ransom. In May 2023, the Clop group began exploitin	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Alphv Threat Actor is associated with Rhysida. Alphv, also known as BlackCat, is a threat actor group that has been linked to numerous cyberattacks, particularly targeting the healthcare sector. The group made headlines when it stole 5TB of data from Morrison Community Hospital, causing significant disruption and raising concerns about patient p	Unspecified	5
The Medusa Threat Actor is associated with Rhysida. Medusa, a threat actor group known for its malicious activities, has been increasingly involved in multiple high-profile cyber attacks. In November 2023, Medusa and other groups like LockBit and ALPHV (BlackCat) exploited a zero-day vulnerability, the Citrix Bleed (CVE-2023-4966), leading to numerou	Unspecified	2
The BianLian Threat Actor is associated with Rhysida. BianLian is a threat actor that has been active in cybercrime, leveraging various techniques for malicious intent. Prior to January 2024, the group used an encryptor (encryptor.exe) that modified all encrypted files to have the .bianlian extension and created a ransom note in each affected directory	Unspecified	2

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The Zerologon Vulnerability is associated with Rhysida. Zerologon (CVE-2020-1472) is a critical vulnerability within Microsoft's Netlogon Remote Protocol that emerged in 2020. It involves a privilege escalation condition that allows an attacker to establish a vulnerable Netlogon secure channel connection to a domain controller, bypassing authentication m	Unspecified	2
The CVE-2020-1472 Vulnerability is associated with Rhysida. CVE-2020-1472, also known as the "ZeroLogon" vulnerability, is a critical-severity flaw in Microsoft's Netlogon Remote Protocol. This vulnerability, which was patched on August 11, 2020, allows attackers to escalate privileges and gain administrative access to a Windows domain controller without any	Exploited	2

Source Document References

Information about the Rhysida Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
BankInfoSecurity	2 months ago	Rhysida Leaks Nursing Home Data, Demands $1.5M From Axis
Recorded Future	2 months ago	Outmaneuvering Rhysida: How Advanced Threat Intelligence Shields Critical Infrastructure from Ransomware
BankInfoSecurity	a month ago	Breach Roundup: Chinese Cyberespionage Using Open Source VPN
Securityaffairs	2 months ago	July 2024 ransomware attack on the City of Columbus impacted 500,000 people
InfoSecurity-magazine	2 months ago	Columbus Ransomware Attack Exposes Data of 500,000 Residents
BankInfoSecurity	2 months ago	BianLian Ransomware Gang Claims Heist of Pediatric Data
Checkpoint	2 months ago	14th October – Threat Intelligence Report - Check Point Research
BankInfoSecurity	3 months ago	'Vanilla Tempest' Now Using INC Ransomware in Health Sector
Securityaffairs	3 months ago	The Vanilla Tempest cybercrime gang used INC ransomware for the first time in attacks on the healthcare sector
DARKReading	3 months ago	Vice Society Uses Inc Ransomware in Healthcare Attack
Securityaffairs	3 months ago	Port of Seattle confirmed that Rhysida ransomware gang was behind the August attack
BankInfoSecurity	4 months ago	RansomHub Claims Theft of Montana Planned Parenthood Data
DARKReading	4 months ago	City of Columbus Sues Researcher After Ransomware Attack
Malwarebytes	4 months ago	City of Columbus tries to silence security researcher \| Malwarebytes
InfoSecurity-magazine	4 months ago	Healthcare Hit by a Fifth of Ransomware Incidents
Securityaffairs	4 months ago	Rhysida Ransomware gang claims the hack of Bayhealth Hospital
CERT-EU	a year ago	‘This experience has been extremely distressing’: Insomniac shares a statement in response to catastrophic ransomware attack, including hopes for Wolverine’s future \| #ransomware \| #cybercrime
Securityaffairs	5 months ago	MarineMax data breach impacted over 123,000 individuals
BankInfoSecurity	5 months ago	What's the Best Strategy for Exploiting Flaws in Ransomware?
BankInfoSecurity	6 months ago	Children's Hospital Notifies 800,000 of Data Theft in Attack