Get in Touch
Rhysida is a ransomware operation that emerged in May 2023 and has primarily targeted organisations within the education, healthcare, manufacturing, information technology, and government sectors. Rhysida ransomware operators are known to apply the double extortion tactic, demanding victims to pay a ransom in Bitcoin to regain access to their data and avoid the public disclosure of stolen information.
Notable victims of the Rhysida ransomware operation include the attacks on the Chilean Army and the government of Martinique. The ransomware gang has leaked stolen documents online, including sensitive information from the Chilean Army.
Rhysida ransom notes are written as PDF documents and the ransom is demanded in Bitcoin (BTC). The ransom note provides instructions for victims to visit the threat actor support site on Tor and includes email addresses for communication. Although the variant is still in the early stages of development, Rhysida ransomware operators initially access target networks via phishing operations whereby command-and-control (C2) frameworks, such as Cobalt Strike, are deployed. The malware encrypts user files and appends them with the “.rhysida” extension. Recent intelligence indicates that overlap have emerged between Rhysida and Vice Society (aka Storm-0832 or Vanilla Tempest) ransomware operations.
Successful exploitation by Rhysida ransomware will almost certainly result in the encryption and exfiltration of significant quantities of data held on the compromised system, prior to a ransom of a predetermined value being issued. The ransom amount demanded will almost certainly depend on the estimated value of the compromised organisation. Furthermore, such a compromise of data will also result in the organisation incurring a negative reputational impact. Encrypted data may include private customer data, corporate finance data and system credentials that if released can assist threat actors with future attacks.