Rhysida
Rhysida is a ransomware family and associated ransomware-as-a-service (RaaS) operation first identified in May 2023. The malware encrypts files, steals data, and is used for double extortion, with victims pressured to pay both for a decryption key and to prevent publication or sale of stolen data. Multiple sources in the content describe Rhysida as targeting opportunities across sectors including education, healthcare, manufacturing, information technology, government, and academic organizations, with heavy reporting on healthcare and public-sector victims.
Observed access and deployment methods directly mentioned in the content include phishing, compromise of organizations’ VPNs using stolen or valid credentials, exploitation of external-facing remote services, and use of known vulnerabilities such as CVE-2020-1472 (Zerologon). Rhysida deployment has also been associated with Cobalt Strike or similar frameworks. Cisco Talos assessed Rhysida as one of the ransomware groups with the broadest range of TTPs. Reporting in the content also notes use of living-off-the-land and built-in Windows administration tools, and that Rhysida has been observed alongside signed malware delivery chains involving Oyster/Broomstick, Lumma Stealer, and Vidar through the Fox Tempest malware-signing service; Microsoft specifically noted Fox Tempest enabled deployment of Rhysida by actors such as Vanilla Tempest.
Behaviorally, Rhysida traverses files on local drives, can lock down targeted systems, and places ransom notes as PDF documents in affected folders. The ransom note is described as a PDF titled "CriticalBreachDetected," containing a unique code and instructions to contact the operators through a TOR-based portal. Victims are instructed to negotiate via a TOR-hosted support/payment site, and the group is described as accepting Bitcoin-only payments. One report states that when executed, Rhysida displays a cmd.exe window and systematically traverses files on local drives. Early sample analysis cited in the content said some common ransomware features, such as Volume Shadow Copy Service removal, were absent, suggesting early-stage development at that time.
The content links Rhysida to numerous high-profile incidents globally, including the British Library attack, where internal HR documents and later a large volume of data were leaked; attacks claimed against the Chilean Army and Martinique; and healthcare-related incidents involving Prospect Medical Holdings, Lurie Children’s Hospital, Spindletop Center, MACT Health Board, and Heart South Cardiovascular Group. The content also states Rhysida was used in attacks that disrupted Seattle-Tacoma International Airport. Rhysida has been used by various actors, and Microsoft and other reporting in the content associate deployment with Vanilla Tempest; Secureworks assessed Rhysida likely emerged from the earlier Gold Victor/Vice Society operation, though the exact identity of the operators is unknown.
High-confidence indicators and artifacts directly mentioned in the content include the ransom note filename/title "CriticalBreachDetected," TOR/.onion victim communication portals, Bitcoin payment demands, and use of PDF ransom notes with unique victim identifiers.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
An advisory note from the FBI and the US Cybersecurity and Information Structure Agency (CISA) last week said the malware, first identified in May 2023, is offered as ransomware as a service to criminal groups, which then share profits with the ransomware owners. | Criminals typically gain access to infected computer systems by using known vulnerabilities, such as ZeroLogon.
Groups observed using it
10 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Vanilla Tempest ... has frequently targeted sectors, including education, healthcare, IT, and manufacturing, using various ransomware strains such as BlackCat, Quantum Locker, Zeppelin, and Rhysida.
US government agencies released an advisory note on Rhysida last week, stating that the “emerging ransomware variant” had been deployed against the education, manufacturing, IT and government sectors since May.
Associated malware includes Rhysida ransomware, Lumma Stealer, Vidar infostealer, and the Oyster (Broomstick) backdoor.
Associated malware includes Rhysida ransomware, Lumma Stealer, Vidar infostealer, and the Oyster (Broomstick) backdoor.
Associated malware includes Rhysida ransomware, Lumma Stealer, Vidar infostealer, and the Oyster (Broomstick) backdoor.
Rhysida is a cybercriminal group that first surfaced in May 2023. Its ransomware can steal data and lock down targeted systems. It then demands a ransom both for deleting stolen data and for a key to restore infected devices. Rhysida operates a ransomware-as-a-service business in which affiliates pay Rhysida to use its malware and infrastructure to launch attacks and collect ransoms.
OysterLoader, also tracked as Broomstick and CleanUp, is a multi-stage loader malware written in C++ and actively leveraged in campaigns linked to the Rhysida ransomware group.
Scattered Spider... aka possibly sometimes BlackCatALPHV or Rhysida... Rhysida (New in Top Variants).
"...the same threat actor deploying Rhysida ransomware against two different organizations..."
X-Force links the group to malware developers/operators such as Broomstick, Supper, PortStarter, SystemBC, and Rhysida ransomware...
Techniques & procedures
21 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
3 techniquesAttackers then distributed the signed malware through tactics such as search manipulation and malicious ads, where users are more likely to trust what they encounter.
Further analysis revealed that Fox Tempest expanded its offerings earlier this year by providing customers with pre-configured virtual machines hosted through Cloudzy infrastructure. Users could upload malware to these systems and receive digitally signed binaries generated through certificates controlled by the group.
Attackers then distributed the signed malware through tactics such as search manipulation and malicious ads, where users are more likely to trust what they encounter.
Initial Access
4 techniquesAttackers have also compromised credentials to access virtual private networks (VPNs), particularly where organisations have failed to enable two-factor authentication by default.
Attackers have also compromised credentials to access virtual private networks (VPNs), particularly where organisations have failed to enable two-factor authentication by default.
Criminals typically gain access to infected computer systems by using known vulnerabilities, such as ZeroLogon.
From what has been seen so far, it appears a typical infection occurs after a phishing attack.
Execution
1 techniqueWhen unsuspecting victims executed the falsely named Microsoft Teams installer files, those files delivered a malicious loader, which in turn installed the fraudulently signed Oyster malware and ultimately deployed Rhysida ransomware.
Persistence
2 techniquesAttackers have also compromised credentials to access virtual private networks (VPNs), particularly where organisations have failed to enable two-factor authentication by default.
Privilege Escalation
2 techniquesIt has often made use of a privilege escalation vulnerability in the Microsoft NetLogon remote protocol in its attack chains – this flaw is known as Zerologon and is tracked as CVE-2020-1472
Stealth
3 techniquesThe signed files often impersonated trusted software brands such as Microsoft Teams, AnyDesk, PuTTY, and Webex, making them appear more credible to potential victims.
Attackers have also compromised credentials to access virtual private networks (VPNs), particularly where organisations have failed to enable two-factor authentication by default.
Rhysida typically uses “living off the land” techniques to exploit network administration tools built into the Windows operating system. This allows attackers to evade detection by blending in with normal network activities.
Defense Impairment
2 techniquesThe operation enabled cybercriminals to sign malicious software with fake trusted certificates, making it appear legitimate and easier to distribute.
Microsoft has announced the disruption of a large-scale malware-signing-as-a-service (MSaaS) operation that exploited its Azure Artifact Signing platform to generate fraudulent code-signing certificates... The group allegedly abused Microsoft's Artifact Signing service to create short-lived digital certificates that allowed malware to appear legitimate to both users and operating systems.
Lateral Movement
1 techniqueCriminals typically gain access to infected computer systems by using known vulnerabilities, such as ZeroLogon.
Collection
1 techniqueTo prove its claim, MACT posted sample images of what it says are documents stolen from MACT. They include several passport scans, among other documents.
Exfiltration
4 techniquesRhysida said it stole the personal records of 100,000 people. To prove its claim, the ransomware group posted sample images of what it says are documents stolen from Spindletop.
The library confirmed that personal data stolen in a cyber-attack last month has appeared for sale online.
Rhysida, a highly evolved ransomware variant that both encrypts files and steals data, often used for double extortion...
Rhysida listed MACT on its data leak site yesterday with a ransom demand of eight bitcoin... To prove its claim, MACT posted sample images of what it says are documents stolen from MACT.
Impact
2 techniquesRhysida is a ransomware group that first surfaced in May 2023. Its ransomware can steal data and lock down targeted systems. It then demands a ransom both for deleting stolen data and for a key to restore infected systems. | Its ransomware can steal data and lock down targeted systems. It then demands a ransom both for deleting stolen data and for a key to restore infected systems.
Groups using the malware engage in “double extortion” by demanding a ransom payment to decrypt victims’ data and threatening to publish the data unless a ransom is paid.
IOCs tracked for this family
27 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
82 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware deployed via Fox Tempest's malware-signing-as-a-service operation; signed binaries helped it masquerade as legitimate software and evade security controls.
Ransomware payload whose malicious files were signed via the Fox Tempest service to appear legitimate and evade security controls.
A ransomware family explicitly linked to Fox Tempest-signed malware and real-world intrusions.
Ransomware used in campaigns supported by Fox Tempest's malware-signing-as-a-service, which helped signed malicious binaries appear legitimate.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.