Rhysida

Rhysida is a ransomware-as-a-service (RaaS) operation that emerged in May 2023, quickly establishing itself as a significant threat to organizations worldwide. The group operates a double extortion model, encrypting victim data while simultaneously exfiltrating sensitive information to leverage for ransom payments. Rhysida has demonstrated a particular focus on critical infrastructure sectors, including healthcare, education, government organizations, and manufacturing. The group maintains an active data leak site on the dark web where they auction stolen data from victims who refuse to pay ransoms, typically setting 7-day auction periods. Rhysida has been linked to several high-profile attacks, including the British Library breach in October 2023, attacks on multiple healthcare organizations across the United States, the Chilean Army in 2023, and Prospect Medical Holdings affecting multiple hospitals. Rhysida's ransomware is written in C++ and uses ChaCha20 for file encryption combined with RSA-4096 for key encryption. The group typically gains initial access through exploiting known vulnerabilities in public-facing applications (particularly VPN and remote access services), phishing campaigns, and purchasing access from initial access brokers. Their operations show tactical overlaps with Vice Society, leading some researchers to suspect potential connections, shared tooling, or rebranded operations between the groups. The ransomware appends the .rhysida extension to encrypted files and drops a PDF ransom note named CriticalBreachDetected.pdf.