Rhysida

Threat Actor updated 11 days ago (2024-10-14T18:00:57.879Z)
Download STIX
Preview STIX
Rhysida, a threat actor active since May 2023, has been responsible for numerous high-profile ransomware attacks. The group is known for its use of various ransomware families, including BlackCat, Hello Kitty, Quantum Locker, Rhysida, Zeppelin, and its own eponymous program, to aid in double extortion attacks. Notably, the group's ransomware payload has evolved over time, shifting from BlackCat, Quantum Locker, Zeppelin, and a Vice Society-branded variant of the Zeppelin ransomware, to Rhysida, and as of August 2024, INC ransomware. Rhysida has targeted various "opportunities," leading to significant data breaches. For instance, nonprofit healthcare organization Axis Health System was hit by a Rhysida ransomware attack, resulting in the theft of sensitive data, including mental health and substance abuse records. In another notable incident, Port of Seattle confirmed that Rhysida was behind a cyberattack in August 2024, leading to data theft. Rhysida demanded a $3.4 million ransom in this case, which the hospital refused to pay. The group uses multiple methods for infiltration and lateral movement, such as transferring ransomware over HTTP/S and emailing ransomware as a compressed attachment. Rhysida often demands substantial ransoms and threatens to publish stolen data if unpaid. In one instance, the group demanded $1.5 million and threatened to release the data within six days if the payment wasn't made. These aggressive tactics and the group's adaptability underscore the growing threat posed by Rhysida in the cybersecurity landscape.
Description last updated: 2024-10-14T17:15:38.336Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Vice Society is a possible alias for Rhysida. Vice Society, a threat actor or hacking team with malicious intent, has been active since 2022 and has made significant waves in the cybersecurity world. The group is known for deploying various forms of ransomware, including BlackCat, Quantum Locker, Zeppelin, and their own branded variant of Zeppe
7
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
RaaS
Ransom
Malware
Extortion
Lateral Move...
Encryption
Vulnerability
Windows
Bitcoin
Phishing
Ransomware P...
Payload
Data Leak
Locker
Exploit
Medical
Cybercrime
Healthcare
Health
Hse
Cobalt Strike
Exploits
Encrypt
Spyware
Hospitals
Linux
Zero Day
Github
Telegram
Apt
Clop
Kaspersky
Vpn
t1021.004
t1003.003
t1070.001
CISA
Tool
British
Fortiguard
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Rhysida Ransomware Malware is associated with Rhysida. The Rhysida ransomware group, a malicious software entity, has been actively launching cyberattacks since May 2023. Their modus operandi involves infiltrating systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, they exploit and damage the system, stUnspecified
11
The Lockbit Malware is associated with Rhysida. LockBit is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. It typically enters through suspicious downloads, emails, or websites without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or hold data hostage forUnspecified
4
The Systembc Malware is associated with Rhysida. SystemBC is a type of malware that has been heavily utilized in various cyber attacks, including those involving the BlackBasta ransomware group in 2023. The Play ransomware actors have also been known to use SystemBC alongside other command and control (C2) applications such as Cobalt Strike and toUnspecified
2
The 3am Malware is associated with Rhysida. 3AM is a new ransomware family that emerged in the cyber threat landscape, as discovered by Symantec's Threat Hunter Team in September 2023. This malicious software, written in Rust, is designed to exploit and damage computer systems, often infiltrating them without the user's knowledge through suspUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Alphv Threat Actor is associated with Rhysida. AlphV, also known as BlackCat, is a notorious threat actor that has been active since November 2021. This group pioneered the public leaks business model and has been associated with various ransomware families, including Akira, LockBit, Play, and Basta. AlphV gained significant attention for its laUnspecified
5
The Medusa Threat Actor is associated with Rhysida. Medusa, a prominent threat actor in the cybersecurity landscape, has been increasingly active with its ransomware attacks. The group made headlines in November 2023 when it leveraged a zero-day exploit for the Citrix Bleed vulnerability (CVE-2023-4966), leading to numerous compromises alongside otheUnspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The Zerologon Vulnerability is associated with Rhysida. Zerologon, officially known as CVE-2020-1472, is a critical vulnerability within Microsoft's Netlogon Remote Protocol. This flaw allows attackers to bypass authentication mechanisms and alter computer passwords within a domain controller's Active Directory, enabling them to escalate privileges to doUnspecified
2
The CVE-2020-1472 Vulnerability is associated with Rhysida. CVE-2020-1472, also known as the "ZeroLogon" vulnerability, is a critical-severity flaw in Microsoft's Netlogon Remote Protocol. This vulnerability, which was patched on August 11, 2020, allows attackers to escalate privileges and gain administrative access to a Windows domain controller without anyExploited
2
Source Document References
Information about the Rhysida Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
BankInfoSecurity
6 days ago
Checkpoint
11 days ago
BankInfoSecurity
a month ago
Securityaffairs
a month ago
DARKReading
a month ago
Securityaffairs
a month ago
BankInfoSecurity
2 months ago
DARKReading
2 months ago
Malwarebytes
2 months ago
InfoSecurity-magazine
2 months ago
Securityaffairs
3 months ago
CERT-EU
10 months ago
Securityaffairs
3 months ago
BankInfoSecurity
4 months ago
BankInfoSecurity
4 months ago
DARKReading
4 months ago
Securelist
6 months ago
Malwarebytes
7 months ago
Malwarebytes
7 months ago
BankInfoSecurity
7 months ago