Detect, Respond, Protect
See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.
Threat Actor Profile
Rhysida
Rhysida is a ransomware-as-a-service (RaaS) group that emerged in May 2023. Known for its "double extortion" tactics, the group encrypts files and threatens to publicize stolen data if ransoms are not paid. Operating under the guise of a “cybersecurity team,” Rhysida primarily targets industries such as healthcare, education, and government.
Rhysida is a ransomware-as-a-service group using double extortion tactics to target industries like healthcare, education, and government with file encryption and data leaks.
Threat Actor Profile
Rhysida
Country of Origin
Rhysida’s exact origins remain unknown; however, some evidence suggests a link to Russian-speaking threat actors or the CIS region. The group’s infrastructure and tactics are consistent with regions known for advanced cybercriminal activity.
Members
There is limited public information about the specific members within Rhysida. The group likely operates with a networked model typical of RaaS syndicates, leveraging affiliates to expand operations.
Leadership
Specific details about Rhysida’s leadership structure remain undisclosed. Their operations suggest a centralized system, but no identifiable individuals or aliases have been definitively linked to the group.
Rhysida TTPs
Tactics
Rhysida’s primary goal is financial extortion via ransomware deployment. By encrypting data and threatening public exposure, they coerce victims into paying ransom demands, often in Bitcoin.
Techniques
The group uses phishing campaigns and compromised credentials to gain initial access. Tools like Cobalt Strike and PsExec support lateral movement, while exfiltration occurs via custom loaders like CleanUpLoader. They rely on advanced evasion techniques, including SEO poisoning and typosquatted domains.
Procedures
Specific methods include deploying PowerShell-based scripts to disable antivirus protections, encrypting files appending the .rhysida extension, and leaving ransom notes (e.g., “CriticalBreachDetected.pdf”) that instruct victims to use Tor-based portals for negotiations.
Want to Shut Down Threats Before They Start?
Indicators of Compromise (IoCs)
Key IoCs linked to Rhysida include:
Encrypted file extensions such as .rhysida.
Domains resembling legitimate ones but typosquatted.
PowerShell scripts disabling endpoint defenses.
Key Victims
Rhysida has targeted a diverse array of sectors, including several high-profile entities such as:
British Library (UK) – ~600 GB of data stolen.
Chilean Army – Leaked sensitive operational data.
City of Columbus, Ohio – Over 3 TB of data released, linked to an unpaid $1.7M ransom demand.
Oregon DEQ (USA) – 2.4 TB of employee data leaked.
Healthcare providers in the U.S. – Compromising 200k+ patient records, including SSNs and medical information.
Notable Cyberattacks
These are some notable examples of Rhysida.
2023 – Attack on the British Library disrupted operations, exposing critical data.
July 2024 – Breach of the City of Columbus, Ohio, marked one of their costliest attacks.
2025 – Multiple healthcare providers targeted, wherein confidential patient information was leaked online.
Law Enforcement & Arrests
No arrests have been publicly linked to Rhysida at this time. Law enforcement operations targeting similar RaaS groups highlight a growing global effort to disrupt threat actor operations.
How to Defend Against Rhysida
1
Initial Access Prevention
Implement email filtering and phishing defense training.
Leverage multi-factor authentication (MFA) across all access points.
2
TTP Detection
Monitor unusual behaviors like Cobalt Strike beacons and large data exfiltrations.
Use threat intelligence services to detect typosquatted domains.
3
Backup & Recovery
Maintain immutable backups and routinely test their restoration.
Huntress services can identify early compromise indicators, ensure detailed forensic logging, and strengthen an organization’s endpoint defenses against sophisticated attacker tactics.
References
