Overview

Rhysida is a ransomware operation that emerged in May 2023 and has primarily targeted organisations within the education, healthcare, manufacturing, information technology, and government sectors. Rhysida ransomware operators are known to apply the double extortion tactic, demanding victims to pay a ransom in Bitcoin to regain access to their data and avoid the public disclosure of stolen information.

Notable victims of the Rhysida ransomware operation include the attacks on the Chilean Army and the government of Martinique. The ransomware gang has leaked stolen documents online, including sensitive information from the Chilean Army.

Rhysida ransom notes are written as PDF documents and the ransom is demanded in Bitcoin (BTC). The ransom note provides instructions for victims to visit the threat actor support site on Tor and includes email addresses for communication. Although the variant is still in the early stages of development, Rhysida ransomware operators initially access target networks via phishing operations whereby command-and-control (C2) frameworks, such as Cobalt Strike, are deployed. The malware encrypts user files and appends them with the “.rhysida” extension. Recent intelligence indicates that overlap have emerged between Rhysida and Vice Society (aka Storm-0832 or Vanilla Tempest) ransomware operations.