Rhysida
Rhysida is a Ransomware-as-a-Service (RaaS) group that emerged in May 2023, known for double extortion attacks targeting sectors like healthcare and education, and has ties to the notorious Vice Society ransomware group.
The Origin of Rhysida
Rhysida ransomware was first observed in May 2023 and has quickly established itself as a prominent Ransomware-as-a-Service (RaaS) group. Known for targeting critical sectors, Rhysida has been linked to attacks against major institutions like the Chilean Army and Prospect Medical Holdings, which impacted 17 hospitals and 166 clinics in the U.S. The group presents itself as a “cybersecurity team” while engaging in double extortion: encrypting data and threatening to leak it publicly unless a ransom is paid. There are growing links between Rhysida and the Vice Society ransomware group, as technical and operational similarities have been observed.
Their name, "Rhysida," is derived from a type of centipede, symbolizing their stealthy and multi-legged approach to cyber attacks.
Targets
Rhysida's Targets
Countries targeted by Rhysida
Active primarily in North America, Europe, and Australia, Rhysida has targeted organizations in countries such as the United States, Italy, Spain, and the United Kingdom. Their attacks have extended across various industries, reflecting their global reach.
Image source: SOCradar
Industries targeted by Rhysida
Rhysida primarily targets the education, healthcare, government, and manufacturing sectors, exploiting the vulnerabilities in critical institutions. These attacks have often led to operational disruptions and significant financial and data losses.
Image source: Trend Micro
Industries targeted by Rhysida
Rhysida primarily targets the education, healthcare, government, and manufacturing sectors, exploiting the vulnerabilities in critical institutions. These attacks have often led to operational disruptions and significant financial and data losses.
Image source: Trend Micro
Rhysida's Victims
In addition to attacking the Chilean Army, Rhysida has targeted the healthcare sector, including an attack on Prospect Medical Holdings. Additionally, they are responsible for breaching several educational institutions, including incidents involving the University of West Scotland.
Image source: Trend Micro
Attack Method
Rhysida's Attack Method
Rhysida actors gain access via compromised credentials or phishing, using external-facing services such as VPNs without multi-factor authentication (MFA). Exploits such as the Zerologon vulnerability (CVE-2020-1472) have also been used.
The attackers escalate privileges using tools like ntdsutil.exe to extract domain credentials. They have been observed targeting the NTDS database for domain-wide password changes.
Rhysida frequently uses PowerShell and PsExec to clear event logs and delete forensic artifacts, such as recently accessed files and folders, RDP logs, and PowerShell history.
The group employs credential dumping tools like secretsdump to extract credentials from compromised systems. These credentials allow the attackers to escalate privileges and further their control within the network.
Rhysida operators use native tools like ipconfig, whoami, and net commands to conduct reconnaissance within the victim environment.
Remote services such as RDP and SSH via PuTTY are used for lateral movement. PsExec is frequently deployed for the final ransomware payload distribution.
Before executing the ransomware payload, the attackers gather critical data, preparing it for encryption or exfiltration as part of their double extortion strategy.
Rhysida's payload is deployed using PsExec, and data is encrypted using 4096-bit RSA and ChaCha20 encryption algorithms. The .rhysida extension is added to all encrypted files.
The group uses double extortion, exfiltrating sensitive data to threaten public disclosure if ransoms are not paid.
Rhysida’s operations typically culminate in severe disruptions, data encryption, and demands for Bitcoin payments, often amounting to millions.
Initial Access
Rhysida actors gain access via compromised credentials or phishing, using external-facing services such as VPNs without multi-factor authentication (MFA). Exploits such as the Zerologon vulnerability (CVE-2020-1472) have also been used.
Privilege Escalation
The attackers escalate privileges using tools like ntdsutil.exe to extract domain credentials. They have been observed targeting the NTDS database for domain-wide password changes.
Defense Evasion
Rhysida frequently uses PowerShell and PsExec to clear event logs and delete forensic artifacts, such as recently accessed files and folders, RDP logs, and PowerShell history.
Credential Access
The group employs credential dumping tools like secretsdump to extract credentials from compromised systems. These credentials allow the attackers to escalate privileges and further their control within the network.
Discovery
Rhysida operators use native tools like ipconfig, whoami, and net commands to conduct reconnaissance within the victim environment.
Lateral Movement
Remote services such as RDP and SSH via PuTTY are used for lateral movement. PsExec is frequently deployed for the final ransomware payload distribution.
Collection
Before executing the ransomware payload, the attackers gather critical data, preparing it for encryption or exfiltration as part of their double extortion strategy.
Execution
Rhysida's payload is deployed using PsExec, and data is encrypted using 4096-bit RSA and ChaCha20 encryption algorithms. The .rhysida extension is added to all encrypted files.
Exfiltration
The group uses double extortion, exfiltrating sensitive data to threaten public disclosure if ransoms are not paid.
Impact
Rhysida’s operations typically culminate in severe disruptions, data encryption, and demands for Bitcoin payments, often amounting to millions.
MITRE ATT&CK Mapping
TTPs used by Rhysida
TA0001: Initial Access
T1566
Phishing
T1190
Exploit Public-Facing Application
TA0002: Execution
T1059
Command and Scripting Interpreter
TA0003: Persistence
No items found.
TA0004: Privilege Escalation
No items found.
TA0005: Defense Evasion
T1070
Indicator Removal
TA0006: Credential Access
T1528
Steal Application Access Token
T1003
OS Credential Dumping
TA0007: Discovery
No items found.
TA0008: Lateral Movement
T1021
Remote Services
TA0009: Collection
No items found.
TA0011: Command and Control
No items found.
TA0010: Exfiltration
No items found.
TA0040: Impact
T1657
Financial Theft
Platform Detections
How to Detect Rhysida with Vectra AI
List of the Detections available in the Vectra AI Platform that would indicate a ransomware attack.
FAQs
What is Rhysida ransomware?
Rhysida is a Ransomware-as-a-Service group using double extortion to encrypt and exfiltrate data, targeting sectors like healthcare and education.
When did Rhysida first emerge?
The group was first observed in May 2023.
What industries does Rhysida target?
It primarily focuses on education, healthcare, manufacturing, government, and IT sectors.
What countries are affected by Rhysida?
The group has been most active in the U.S., U.K., Italy, and Spain.
How does Rhysida gain access to networks?
Rhysida actors gain access through phishing or exploiting vulnerabilities in external-facing services, often leveraging weak or stolen credentials.
What encryption methods does Rhysida use?
The group uses 4096-bit RSA and ChaCha20 encryption algorithms to lock victims' data.
Is there a link between Rhysida and Vice Society?
There are notable similarities between the TTPs of Rhysida and Vice Society, suggesting a possible operational overlap.
How can organizations protect against Rhysida?
Organizations should implement MFA, patch known vulnerabilities, and ensure robust backup and recovery systems.
How does Rhysida avoid detection?
The group uses techniques like clearing event logs, deleting artifacts, and hiding activity through PowerShell.
What steps should be taken after a Rhysida attack?
Organizations should isolate affected systems, preserve forensic evidence, report the incident to law enforcement, and avoid paying the ransom if possible. Implementing robust security measures, such as NDR and network segmentation, is also recommended.