Rhysida Ransomware

Malware updated 3 days ago (2024-11-20T18:14:23.006Z)

Download STIX

Preview STIX

The Rhysida ransomware, a malicious software known for exploiting and damaging computer systems, has been actively disrupting cybersecurity since May 2023. This malware infects systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom. The Rhysida ransomware group, suspected of having Russian ties, has claimed responsibility for multiple attacks, including a massive data breach involving 6.5 terabytes of stolen data. In September 2024, modePUSH reported that the Rhysida ransomware group, along with the BianLian group, had begun using Azure Storage Explorer to exfiltrate data from victim environments. This marked a shift from their historically popular tools like MEGAsync and rclone. In October 2024, Trend Micro noted that a ransomware actor mimicking the notorious LockBit ransomware group was using samples that leverage Amazon’s S3 storage to exfiltrate data stolen from targeted Windows or macOS systems. Significant incidents associated with the Rhysida ransomware include an attack on the Port of Seattle in August 2024, which affected critical systems including the Seattle-Tacoma International Airport. The group also claimed responsibility for an attack on a city while law enforcement was investigating the incident. The FBI and CISA have issued warnings about these attacks, highlighting the growing threat posed by the Rhysida ransomware gang.

Description last updated: 2024-11-15T16:16:14.616Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Vice Society is a possible alias for Rhysida Ransomware. Vice Society, a threat actor or hacking team with malicious intent, has been active since 2022 and has made significant waves in the cybersecurity world. The group is known for deploying various forms of ransomware, including BlackCat, Quantum Locker, Zeppelin, and their own branded variant of Zeppe	6

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Windows

Ransom

Malware

Health

RaaS

Healthcare

Bitcoin

Hospital

Vulnerability

Medical

Encryption

Hospitals

Payload

Lateral Move...

Apt

Zero Day

CISA

Extortion

Cybercrime

Spyware

Exploit

Phishing

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Lockbit Malware is associated with Rhysida Ransomware. LockBit is a malicious software, or malware, known for its damaging and exploitative functions. It infiltrates systems via dubious downloads, emails, or websites, often without the user's knowledge, and can steal personal information, disrupt operations, or hold data hostage for ransom. The LockBit	Unspecified	3

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Rhysida Threat Actor is associated with Rhysida Ransomware. Rhysida is a globally active threat actor known for its ransomware operations, which have impacted a wide range of sectors, particularly the government and public sector. Their use of CleanUpLoader makes their operations highly effective and difficult to detect, as it not only facilitates persistenc	Unspecified	12

Source Document References

Information about the Rhysida Ransomware Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
InfoSecurity-magazine	8 days ago	Ransomware Groups Use Cloud Services For Data Exfiltration
BankInfoSecurity	15 days ago	Breach Roundup: Chinese Cyberespionage Using Open Source VPN
InfoSecurity-magazine	16 days ago	Interlock Ransomware Targets US Healthcare, IT and Government Sectors
Securityaffairs	18 days ago	July 2024 ransomware attack on the City of Columbus impacted 500,000 people
InfoSecurity-magazine	19 days ago	Columbus Ransomware Attack Exposes Data of 500,000 Residents
Securityaffairs	2 months ago	Security Affairs newsletter Round 491 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	2 months ago	Security Affairs newsletter Round 490 by Pierluigi Paganini – INTERNATIONAL EDITION
Checkpoint	2 months ago	16th September – Threat Intelligence Report - Check Point Research
Securityaffairs	2 months ago	Port of Seattle confirmed that Rhysida ransomware gang was behind the August attack
DARKReading	3 months ago	CISA Flags ICS Bugs in Baxter, Mitsubishi Products
DARKReading	3 months ago	City of Columbus Sues Researcher After Ransomware Attack
Checkpoint	3 months ago	26th August – Threat Intelligence Report - Check Point Research
Checkpoint	3 months ago	12th August – Threat Intelligence Report - Check Point Research
Securityaffairs	3 months ago	SECURITY AFFAIRS MALWARE NEWSLETTER – ROUND 6
Securityaffairs	3 months ago	Security Affairs newsletter Round 484 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	3 months ago	Rhysida Ransomware gang claims the hack of Bayhealth Hospital
Checkpoint	4 months ago	5th August – Threat Intelligence Report - Check Point Research
Securityaffairs	4 months ago	security-affairs-malware-newsletter-round-5
Checkpoint	4 months ago	22nd July – Threat Intelligence Report - Check Point Research
Securityaffairs	4 months ago	Security Affairs Malware Newsletter - Round 3