Rhysida

Rhysida is a financially motivated Windows-based ransomware operation and ransomware-as-a-service (RaaS) group that emerged in 2023, with reporting repeatedly placing its prominence from May 2023 onward. It uses double- and multi-extortion tactics: exfiltrating data, encrypting victim systems, and threatening to publish or sell stolen information via a TOR-hosted leak/negotiation portal. Its ransom notes are commonly PDF files named CriticalBreachDetected.pdf, which direct victims to contact the group through its dark web portal using a unique code, and payment demands are made in Bitcoin. Reporting also notes Rhysida defaces victim systems to maximize impact. Victimology in the provided content spans education, government, healthcare, IT, manufacturing, transportation, and academic organizations. Specifically mentioned victims or claimed victims include the British Library, Seattle-Tacoma International Airport / Port of Seattle, Columbus city systems, Ejército de Chile, Martinique, Prospect Medical Holdings, Cookeville Regional Medical Center, Spindletop Center, MACT Health Board, Cardinal Services, California school districts, the Portuguese city of Gondomar, the University of the West of Scotland, and government institutions in Portugal, Chile, and Kuwait. US government reporting cited in the content says Rhysida has targeted education, manufacturing, IT, and government sectors since May 2023; other reporting adds healthcare as a major focus. Initial access and tradecraft described in the content include phishing, compromise of external-facing remote services, use of stolen valid credentials to access internal VPNs, and exploitation of known vulnerabilities including Zerologon (CVE-2020-1472). One British Library report cited compromised privileged third-party credentials and lack of MFA on a terminal services server as the likely enabler of that intrusion. Rhysida has been described as using living-off-the-land techniques and built-in Windows administration tools, and as commonly deploying ransomware with Cobalt Strike or similar frameworks. Cisco Talos assessed Rhysida as one of the ransomware groups with the broadest range of TTPs. Kroll reported that Rhysida operators favor SYSTEMBC as a post-compromise access and persistence tool; in one healthcare intrusion, actors used compromised credentials and a Citrix NetScaler vulnerability, then deployed SYSTEMBC, Advanced Port Scanner for discovery, AnyDesk for remote access, and MegaSync for exfiltration, and changed system passwords after encryption. The content states Rhysida operates opportunistically and has been linked to attacks across Western Europe, North and South America, and Australia. It is described as a significant threat to the healthcare sector by the US Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center. Multiple sources in the content state or assess that Rhysida operates as a RaaS model with affiliates. The British Library reporting notes that a Rhysida affiliate likely conducted that intrusion. Microsoft also linked Rhysida affiliates to use of the Fox Tempest malware-signing-as-a-service platform to digitally sign malware used in ransomware operations. Regarding lineage, the content says Secureworks assessed that Rhysida likely emerged from the older Gold Victor criminal operation, which operated Vice Society; separate reporting says the group appears to have links to Vice Society. The exact identity of the operators is unknown. One cited assessment said the operators are probably Russian-speaking, but the same source noted there is no hard evidence. No nation-state attribution is supported by the provided content. Known aliases and related names directly mentioned in the content: Rhysida; possible lineage/related operation: Gold Victor / Vice Society.