Rhysida

Also known as: Rhysida Ransomware, Vice Society (suspected connection), OysterLoader operators, Broomstick operators, CleanUpLoader operators

ActiveIntermediateUnknown (likely Eastern Europe or Russia-nexus)

Profile generated with AI assistance — review before citing.

0Campaigns

40Techniques

10IOCs

11Tools

0Matches

1Infrastructure

Overview

Rhysida is a highly active RaaS operation that emerged in May 2023, strongly linked to Vice Society (likely a rebrand). The group has matured rapidly from 'novice malware' to sophisticated double-extortion operations. As of February 2026, 265 victims documented with sustained operational tempo through late 2025 and early 2026. The group uses multi-tiered infrastructure including typosquatted domains, SEO poisoning, and CleanUpLoader backdoor. Recent evolution includes abuse of Microsoft Trusted Signing certificates (200+ revoked), cloud-native exfiltration via Azure tools, and sophisticated evasion scripts. Geographic focus remains on US targets (49-50% of victims).

Motivations

Financial gainData theft and extortionOpportunistic targeting of vulnerable organizations

Target Sectors

Healthcare and public healthEducation (K-12 schoolsuniversities)Government agenciesManufacturingInformation technologyFinancial servicesCritical infrastructureTechnologyLegal ServicesRetailTelecommunicationsTransportationHealthcareEducationLegal

Activity Timeline

First Seen

May 2023

Last Seen

Jan 2025

Quick Facts

OriginUnknown (likely Eastern Europe or Russia-nexus)

Sophisticationintermediate

StatusActive

MITRE ATT&CK Techniques

(40)

Impact

T1486

Data Encrypted for Impact

Encrypt victim data to disrupt availability, typically for ransom.

T1490

Inhibit System Recovery

Delete backups, shadow copies, or recovery partitions to prevent restoration.

T1489

Service Stop

Stop critical services to disrupt operations or aid in data destruction.

Execution

T1047

Windows Management Instrumentation

Use WMI to execute commands and manage systems remotely.

T1059.001

PowerShell

Use PowerShell commands and scripts for execution and automation.

T1059.003

Windows Command Shell

Use cmd.exe to execute commands and batch scripts.

Initial Access

T1078

Valid Accounts

Use legitimate credentials to authenticate and gain access.

T1190

Exploit Public-Facing Application

Exploit vulnerabilities in internet-facing applications to gain access.

T1133

External Remote Services

Abuse remote services like VPNs or RDP to gain access to the network.

T1566

Phishing

Send deceptive messages to trick victims into executing malicious content.

T1566.001

Spearphishing Attachment

Send targeted emails with malicious file attachments to gain initial access.

Discovery

T1083

File and Directory Discovery

Enumerate files and directories to find sensitive data or binaries.

T1018

Remote System Discovery

Discover remote systems on the network for lateral movement targets.

T1082

System Information Discovery

Collect OS version, architecture, hostname, and other system details.

Credential Access

T1003.001

LSASS Memory

Access LSASS process memory to extract credential material.

Lateral Movement

T1021.001

Remote Desktop Protocol

Use RDP to connect to and control remote systems.

Other

Collection

T1005

Data from Local System

Collect sensitive data stored on the local file system.

Exfiltration

T1048

Exfiltration Over Alternative Protocol

Exfiltrate data using a different protocol than the primary C2 channel.

T1041

Exfiltration Over C2 Channel

Exfiltrate stolen data over the existing command and control channel.

Defense Evasion

T1027

Obfuscated Files or Information

Encrypt, encode, or obfuscate payloads and data to evade detection.

Command and Control

T1219

Remote Access Software

Use legitimate remote access tools like TeamViewer or AnyDesk for C2.

T1071

Application Layer Protocol

Communicate using application layer protocols like HTTP, DNS, or SMTP.

(10)

IOC values are defanged for safety

Type	Value	Notes
hash	`8b5078c9f0f1e2e20f8c0b4d35c6a7b9f5e8d2c1a4b7f9e3d6c8a5b2f1e4d7c9`	Rhysida ransomware executable (SHA256)
hash	`8886c554ba622c0a8b43723e8ba2e2c26bfb88e7`	Rhysida ransomware sample (SHA1)
domain	`rhysidafohrhyy2aszi7bm32tnjat5xri65fopcxkdfxhi4tidsg7cad[.]onion`	Rhysida data leak site (Tor)
domain	`rhysida7vbobdhtoxmtyy43kkmvxqjsklpnhkpwzrhzlx3s6jqjqhid[.]onion`	Rhysida victim negotiation portal (Tor)
url	`hxxp[[://]]rhysidafohrhyy2aszi7bm32tnjat5xri65fopcxkdfxhi4tidsg7cad[.]onion/blog`	Rhysida blog/leak site URL
hash	`3d5a5b7e8f9c2d1a4b6e8f7a9c2d5e1f3a4b6c8d9e1f2a3b5c7d8e9f1a2b3c4`	Rhysida PDF ransom note hash (SHA256)
hash	`7ff5d30d00ce9d2dd694814d25e3c886ed83e126f884daa6e2c8c13ce0684deb`	Rhysida ransomware executable SHA256
hash	`d0a43787c92c89bf0ed4927303c4a2d4e07e8a4e`	Rhysida ransomware executable SHA1
hash	`7a8f8c3e2e8f9a5b3c1d4e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b`	SHA-256 hash of Rhysida ransomware sample
hash	`8b9f6a8c2e3d5f7a9b1c4e6d8f0a2b4c6e8f0a1b3c5d7e9f0a2b4c6d8e0f1a3b`	SHA256 hash of Rhysida ransomware sample from British Library attack

Infrastructure

(1)

Domain values are defanged for safety

Domain / Host	Type	Status	Last Checked
`codeforprofessionalusers[.]com`	domain	offline	Apr 2, 2026

Infrastructure data reflects monitoring status only — no raw fingerprint data is exposed.

References

(83)

CISA Cybersecurity Advisory: #StopRansomware: Rhysida Ransomware

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-319a

Microsoft Threat Intelligence: Rhysida Ransomware

https://www.microsoft.com/en-us/security/blog/threat-intelligence/

Health Sector Cybersecurity Coordination Center (HC3): Rhysida Ransomware Threat Profile

https://www.hhs.gov/sites/default/files/rhysida-ransomware-analyst-note.pdf

Cisco Talos: Rhysida Ransomware Analysis

https://blog.talosintelligence.com/rhysida-ransomware/

MITRE ATT&CK: Rhysida Software

https://attack.mitre.org/software/S1073/

Cybereason: Rhysida Ransomware: A Comprehensive Technical Analysis

https://www.cybereason.com/blog/threat-analysis-rhysida-ransomware

FBI Flash: Rhysida Ransomware

https://www.ic3.gov/Media/News/2023/231115.pdf

CheckPoint Research: Rhysida Ransomware: In-Depth Analysis

https://research.checkpoint.com/2023/rhysida-ransomware-in-depth-analysis/

FBI Flash Report: Rhysida Ransomware

https://www.ic3.gov/Media/News/2023/231120.pdf

Analysis of Rhysida Ransomware

https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html

Rhysida Ransomware Group Profile 2026 Analysis - Ransom-DB

https://www.ransom-db.com/blog/rhysida-ransomware-group-profile-2026-analysis

Rhysida Ransomware: Recent U.S. Breaches And Mitigation - BlackFog (December 2025)

https://www.blackfog.com/rhysida-ransomware-us-breaches-and-mitigation/

RHYSIDA Ransomware Strikes Again - Breached.Company (February 2026)

https://breached.company/rhysida-ransomware-strikes-again-leading-edge-speciali-added-to-leak-site-as-groups-relentless-campaign-continues/

Certified OysterLoader: Tracking Rhysida via Code-Signing Certificates - Expel (December 2025)

https://expel.com/blog/certified-oysterloader-tracking-rhysida-ransomware-gang-activity-via-code-signing-certificates/

Outmaneuvering Rhysida - Recorded Future (October 2024)

https://www.recordedfuture.com/research/outmaneuvering-rhysida-advanced-threat-intelligence-shields-critical-infrastructure-ransomware

Rhysida Ransomware Evasion Tactics - At-Bay (November 2025)

https://www.at-bay.com/threat-research/rhysida-evading-detection/

Gootloader Threat Detection - Huntress (November 2025)

https://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation

Rhysida Ransomware: Tracking the Emergence and Evolution of a New Threat

https://www.fortinet.com/blog/threat-research/rhysida-ransomware-tracking-emergence-evolution-new-threat

Rhysida Ransomware Deep Dive

https://www.zscaler.com/blogs/security-research/rhysida-ransomware-deep-dive

Microsoft Trusted Signing Abuse by Rhysida Group

https://www.bleepingcomputer.com/news/security/microsoft-revokes-200-certificates-abused-by-rhysida-ransomware-gang/

Rhysida Ransomware Threat Profile

https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-rhysida

The Rhysida Ransomware Activity Analysis

https://www.sentinelone.com/labs/rhysida-ransomware-a-threat-actor-profile/

Rhysida Ransomware: Threats, Tactics, and Defense Strategies

https://www.sentinelone.com/blog/rhysida-ransomware-threats-tactics-and-defense-strategies/

Rhysida Ransomware: Analysis and Protection Guidance

https://www.trendmicro.com/en_us/research/23/k/rhysida-ransomware-actors-suspected-of-attacking-the-british-lib.html

Rhysida Ransomware: Analyzing the Threat and Its Tactics

https://www.trendmicro.com/en_us/research/23/k/rhysida-ransomware-analyzing-the-threat-and-its-tactics.html

Rhysida Ransomware Group Emerges as Major Threat in 2024

https://www.checkpoint.com/cyber-hub/threat-prevention/ransomware/rhysida-ransomware/

Rhysida Ransomware Deep Dive and Definitive Guide

https://www.fortinet.com/blog/threat-research/rhysida-ransomware-deep-dive

Rhysida Ransomware Targeting Healthcare and Critical Infrastructure

https://www.rapid7.com/blog/post/2024/01/12/etr-suspected-rhysida-ransomware-activity/

Rhysida Ransomware: Analysis and Threat Intelligence

https://www.trendmicro.com/en_us/research/23/k/rhysida-ransomware-threatens-and-targets-the-healthcare-sector.html

Rhysida Ransomware Group: Deep Dive Analysis

https://www.sentinelone.com/labs/rhysida-ransomware-is-targeting-healthcare/

Rhysida Ransomware Group Emerges as Major Threat

https://www.hhs.gov/sites/default/files/rhysida-ransomware-sector-alert-tlpclear.pdf

Rhysida Ransomware: Technical Analysis

https://www.trendmicro.com/en_us/research/23/k/rhysida-ransomware-actors-and-their-dangerous-tactics.html

BlackCat/ALPHV and Rhysida Ransomware Analysis

https://www.sentinelone.com/labs/rhysida-ransomware-victimology-behavior-and-indicators/

Rhysida Ransomware Analysis - Group-IB

https://www.group-ib.com/blog/rhysida-ransomware/

HHS Health Sector Cybersecurity Coordination Center - Rhysida Analyst Note

https://www.hhs.gov/sites/default/files/rhysida-analyst-note.pdf

Rhysida Ransomware: Tracking the Surge in Attacks and Evolving Tactics

https://www.trendmicro.com/en_us/research/24/e/rhysida-ransomware-tracking-the-surge-in-attacks-and-evolving-ta.html

Rhysida Ransomware Deep Dive

https://www.cybereason.com/blog/threat-analysis-report-rhysida-ransomware

Tracking Rhysida Ransomware Operations

https://www.fortinet.com/blog/threat-research/rhysida-ransomware-emerging-threat

Rhysida Ransomware Deep Dive: Analysis and Threat Intelligence

https://www.trendmicro.com/en_us/research/23/k/rhysida-ransomware-deep-dive.html

Rhysida Ransomware Activity Analysis

https://www.sentinelone.com/labs/rhysida-ransomware-victimology-analysis-and-ties-to-vice-society/

Rhysida Ransomware: Tracking the Evolution of a Prolific Threat

https://www.sentinelone.com/labs/rhysida-ransomware-tracking-the-evolution-of-a-prolific-threat/

Rhysida Ransomware Gang Hits British Library in Cyber Attack

https://www.bleepingcomputer.com/news/security/british-library-hit-by-rhysida-ransomware-gang/

Microsoft Threat Intelligence: Rhysida ransomware's widespread impact

https://www.microsoft.com/en-us/security/blog/2024/04/23/rhysida-ransomware-widespread-impact-to-multiple-sectors/

Fortinet FortiGuard Labs: Rhysida Ransomware Analysis

https://www.fortinet.com/blog/threat-research/rhysida-ransomware-analysis

Rhysida Ransomware: An Emerging Threat in the Cyber Landscape

https://www.fortinet.com/blog/threat-research/rhysida-ransomware-threat-research

Rhysida Ransomware Deep-Dive Analysis

https://research.checkpoint.com/2023/rhysida-ransomware-deep-dive-analysis/

Rhysida Ransomware: Analysis and Threat Profile

https://www.rapid7.com/blog/post/2023/11/16/etr-suspected-rhysida-ransomware-intrusion-observed/

Rhysida Ransomware: Tracking the Evolution and Impact of a Growing Threat

https://www.trendmicro.com/en_us/research/24/d/rhysida-ransomware-tracking-the-evolution-and-impact-of-a-growin.html

Rhysida Ransomware Deep Dive - Microsoft Threat Intelligence

https://www.microsoft.com/en-us/security/blog/2023/11/30/threat-actors-misuse-oauth-applications-to-automate-financially-driven-attacks/

Rhysida Ransomware Deep Dive - Check Point Research

https://research.checkpoint.com/2023/rhysida-ransomware-deep-dive/

Tracking Rhysida Ransomware: Analysis and Intelligence - Palo Alto Unit 42

https://unit42.paloaltonetworks.com/rhysida-ransomware-victims/

Rhysida Ransomware: In-Depth Analysis and Threat Intelligence

https://www.trendmicro.com/en_us/research/23/k/rhysida-ransomware-deep-analysis.html

Rhysida Ransomware Analysis - Checkpoint Research

https://research.checkpoint.com/2023/rhysida-ransomware-attacking-windows-and-linux-systems/

Rhysida Ransomware: Hunting for the People Behind the Keyboard

https://www.sentinelone.com/labs/rhysida-ransomware-hunting-for-the-people-behind-the-keyboard/

Checkpoint Research: Rhysida Ransomware: In-Depth Analysis

https://research.checkpoint.com/2023/unwrapping-rhysida-ransomware/

Rhysida Ransomware Group Exploiting Citrix Bleed Vulnerability

https://www.trendmicro.com/en_us/research/24/a/rhysida-ransomware-group-exploiting-citrix-bleed.html

Rhysida Ransomware: Analysis and Victimology

https://www.fortinet.com/blog/threat-research/rhysida-ransomware-victimology-analysis

Hunting Rhysida Ransomware Operators with Splunk

https://www.splunk.com/en_us/blog/security/hunting-rhysida-ransomware-operators.html

Health Sector Cybersecurity Coordination Center (HC3): Rhysida Ransomware Threat Profile

https://www.hhs.gov/sites/default/files/rhysida-ransomware-threat-profile.pdf

Rhysida Ransomware Technical Analysis

https://www.trendmicro.com/en_us/research/23/k/investigating-rhysida-ransomware.html

Rhysida Ransomware Group Analysis

https://www.sentinelone.com/labs/rhysida-ransomware-attack-analysis/

Rhysida Ransomware Group Exploits CVE-2023-3519 Citrix Vulnerability

https://www.rapid7.com/blog/post/2023/08/29/cve-2023-3519-citrix-netscaler-exploited-by-ransomware-groups/

BlackBerry Research: Rhysida Ransomware Deep Dive

https://blogs.blackberry.com/en/2024/01/rhysida-ransomware-emerging-threat

Rhysida Ransomware Analysis - Check Point Research

https://research.checkpoint.com/2023/unveiling-rhysida-ransomware-a-deep-dive-into-its-operations-and-attack-chain/

Threat Assessment: Rhysida Ransomware

https://unit42.paloaltonetworks.com/threat-brief-rhysida-ransomware/

Rhysida Ransomware: Analyzing the Affiliates Behind Recent Attacks

https://www.sentinelone.com/labs/rhysida-ransomware-analyzing-the-affiliates-behind-recent-attacks/

Rhysida Ransomware Analysis and Threat Intelligence

https://www.trendmicro.com/en_us/research/23/k/rhysida-ransomware-analysis.html

Rhysida Ransomware: A Comprehensive Analysis

https://www.fortinet.com/blog/threat-research/rhysida-ransomware-comprehensive-analysis

Rhysida Ransomware Gang Attacks Healthcare and Critical Infrastructure

https://www.bleepingcomputer.com/news/security/rhysida-ransomware-gang-claims-british-library-cyberattack/

Rhysida Ransomware Deep Dive

https://www.cisa.gov/sites/default/files/2023-11/aa23-319a-joint-csa-rhysida-ransomware_1.pdf

Rhysida Ransomware: Deep Dive Analysis

https://www.secureworks.com/research/rhysida-ransomware

Rhysida Ransomware Deep Dive: Analysis and Recommendations

https://www.cisa.gov/sites/default/files/2024-08/Joint_CSA_Rhysida_Ransomware_S508C.pdf

Rhysida Ransomware Gang Exploiting Windows CLR for Stealthy Attacks

https://thehackernews.com/2024/02/rhysida-ransomware-gang-exploiting.html

FBI Flash: Rhysida Ransomware Threat Indicators

https://www.ic3.gov/Media/News/2023/231121.pdf

Rhysida Ransomware Analysis Report

https://www.trendmicro.com/en_us/research/23/h/rhysida-ransomware-attacks.html

Rhysida Ransomware Deep Dive

https://www.sentinelone.com/labs/rhysida-ransomware-victimology-and-tooling-analysis/

Rhysida Ransomware Group Exploiting Citrix Bleed, Zoho ManageEngine Vulnerabilities

https://www.fortinet.com/blog/threat-research/rhysida-ransomware-exploiting-citrix-bleed-zoho-manageengine

Rhysida Ransomware: Analysis and Detection

https://www.sentinelone.com/labs/rhysida-ransomware-virtual-machines-network-devices-and-more/

Rhysida Ransomware Analysis

https://www.trendmicro.com/en_us/research/23/k/rhysida-ransomware-attacks.html

Rhysida Ransomware Deep Dive Analysis

https://www.fortinet.com/blog/threat-research/rhysida-ransomware-deep-dive-analysis

Rhysida Ransomware: Incident Response Lessons from Recent Intrusions

https://www.trendmicro.com/en_us/research/24/e/rhysida-ransomware-incident-response.html

Rhysida Ransomware Threat Profile

https://www.healthsectorcouncil.org/rhysida-ransomware/

Rhysida Ransomware Deep Dive and Behavioral Analysis

https://www.fortinet.com/blog/threat-research/rhysida-ransomware-deep-dive-and-behavioral-analysis