Rhysida Ransomware Report

Rhysida is a ransomware operation that emerged in May 2023 and has targeted various organisations, including government entities. The threat actors behind Rhysida have claimed responsibility for attacks on the Chilean Army, the government of Martinique, and other targets in different countries. The ransomware gang has leaked stolen documents online, including sensitive information from the Chilean Army.

Rhysida ransom notes are written as PDF documents and the ransom is demanded in Bitcoin (BTC). The ransom note provides instructions for victims to visit the attacker’s support site on Tor and includes email addresses for communication. Although the variant is still in the early stages of development, Rhysida ransomware operators initially access target networks via phishing attacks whereby command-and-control frameworks, such as Cobalt Strike, are deployed. The malware encrypts user files and appends them with the “.rhysida” extension.

Impact

Successful exploitation by Rhysida ransomware will almost certainly result in the encryption and exfiltration of significant quantities of data held on the compromised system, prior to a ransom of a predetermined value being issued. The ransom amount demanded will almost certainly depend on the estimated value of the compromised organisation. Furthermore, such a compromise of data will also result in the organisation incurring a negative reputational impact. Encrypted data may include private customer data, corporate finance data and system credentials that if released can
assist threat actors with future attacks.