Background
Rhysida ransomware emerged in May 2023 and quickly established itself as a significant threat, drawing immediate attention for high-profile attacks on healthcare providers, government agencies, and military organizations. Security researchers at Check Point noted strong behavioral and targeting overlaps with the defunct Vice Society ransomware group, suggesting Rhysida may represent Vice Society's rebrand or a splinter group formed by former Vice Society operators.
Rhysida operates as a Ransomware-as-a-Service (RaaS) platform, though with a smaller and more curated affiliate base than large-scale RaaS operations. The group's leak site, styled with a centipede logo (referencing the Rhysida centipede genus), publishes victim data for purchase by any bidder rather than providing it freely β an unusual monetization model that treats stolen data as a revenue stream independent of ransom payment. CISA and FBI issued a joint advisory in November 2023 warning of Rhysida's opportunistic targeting across multiple sectors, with particular attention to its impact on healthcare and government.
The November 2023 Intezer analysis revealed a critical vulnerability in Rhysida's implementation of the ChaCha20 encryption algorithm β specifically, the use of a time-based seed for random number generation, which allowed researchers to develop a decryptor. Avast and Korean authorities subsequently released free decryptors. This cryptographic weakness indicates the group's developers had insufficient cryptographic expertise despite the overall operational sophistication of the operation.
Notable Campaigns
Prospect Medical Holdings (2023) β Rhysida attacked Prospect Medical Holdings, affecting 16 hospitals and 166 clinics across Connecticut, California, Pennsylvania, and Rhode Island. The attack disrupted electronic health records, forcing hospitals to revert to paper-based processes for an extended period. Patient diversions, procedure cancellations, and delayed care resulted from the incident. Prospect Medical declared the attack the most significant cybersecurity incident in its history.
Chilean Army (2023) β Rhysida compromised the Chilean Army (EjΓ©rcito de Chile) and exfiltrated approximately 360,000 documents including sensitive military records, internal correspondence, and operational information. The attack on a NATO partner-adjacent military organization was one of the most sensitive government/military breaches in the group's portfolio.
British Library (October 2023) β Rhysida conducted a devastating attack on the British Library, one of the world's largest libraries and a UK national institution. The group exfiltrated 600 gigabytes of data, publishing a portion on their leak site. The attack caused months of service disruption, affecting research access for scholars globally. Recovery costs exceeded Β£6 million.
Singing River Health System (2023) β Rhysida attacked this Mississippi-based health system, affecting three hospitals. The breach exposed personal health information of nearly 900,000 patients, triggering major breach notification obligations and multiple class-action lawsuits.
Tactics, Techniques & Procedures
Initial Access via Phishing and Credential Compromise β Rhysida affiliates primarily use phishing emails (T1566.001) and compromised credentials for VPN and RDP access (T1078, T1133). The group has also exploited internet-facing vulnerabilities in remote access infrastructure. Initial access is sometimes purchased from initial access brokers.
Living-Off-the-Land Emphasis β Rhysida demonstrates a strong preference for legitimate Windows tools to reduce malware artifact footprint. PsExec for remote execution, PowerShell for scripting, ntdsutil for Active Directory database dumping, and Windows administrative shares for lateral movement are used throughout operations. This approach reduces detection signatures and complicates forensic reconstruction.
Active Directory Compromise β Rhysida prioritizes obtaining Active Directory credentials to enable domain-wide operations. Mimikatz and ntdsutil (to dump the NTDS.dit database) are used for credential harvesting. Domain Administrator credentials enable GPO-based ransomware deployment across all domain-joined systems simultaneously.
Ransomware and Exfiltration β Rhysida ransomware uses ChaCha20 with RSA-4096 for encryption (with the noted cryptographic weakness in some versions). Files receive a .rhysida extension. Shadow copies are deleted before encryption. Rclone handles data exfiltration before encryption, with stolen data published on the Rhysida Tor site for bidder purchase.
Tools & Malware
- Rhysida Ransomware β A 64-bit Windows ransomware executable using ChaCha20 encryption with RSA-4096 key wrapping. Early versions contained a time-based RNG vulnerability enabling decryption. Appends .rhysida extension and drops a ransom note (CriticalBreachDetected.pdf, themed as a security alert). Targets all connected drives and accessible network shares.
- PsExec β Sysinternals tool used extensively for remote command execution and lateral movement without deploying additional agent software.
- ntdsutil β A Microsoft-provided Active Directory management utility repurposed to create IFM (Install From Media) copies of the NTDS.dit database, enabling offline credential extraction from the entire domain.
- Cobalt Strike β Post-exploitation framework used by some Rhysida affiliates for C2 and lateral movement coordination.
- PortScan β A network port scanning tool used for internal reconnaissance and service enumeration.
- Rclone β Used for pre-encryption data exfiltration to cloud storage or attacker-controlled file hosting.
- AnyDesk β Legitimate remote access software installed for persistent interactive access to compromised systems.
- Advanced IP Scanner β Network discovery tool used to enumerate internal network topology and identify additional targets.
Indicators & Detection
Decryptor Availability β Due to the cryptographic vulnerability in Rhysida's ChaCha20 implementation (time-based RNG seed), free decryptors are available from Avast and Korean government sources for affected versions. Organizations impacted by Rhysida should engage with incident responders before paying any ransom to determine if decryption is possible without payment.
Healthcare-Specific Detection β Monitor EHR systems and hospital management applications for anomalous access patterns, particularly bulk data export operations. Alert on attempts to access or modify system backups and shadow copies. Healthcare organizations should implement network segmentation separating clinical and administrative networks to contain ransomware spread.
ntdsutil Monitoring β Alert on ntdsutil.exe execution that creates IFM (Install From Media) copies, as this is almost exclusively used for Active Directory credential dumping in ransomware operations. Legitimate ntdsutil use for AD maintenance is rare and should be scheduled and approved in advance.
Rhysida Leak Site Monitoring β Engage threat intelligence services that monitor Rhysida's Tor-based leak site for potential victim disclosures. Advance warning of planned publication allows organizations to prepare stakeholder communications and breach notifications before information becomes public.
Active Directory Hardening β Implement privileged access management for all Active Directory administrative operations. Enable Protected Users security group for privileged accounts to prevent credential caching. Monitor for ntdsutil activity, LSASS access by non-system processes, and unusual scheduled task creation that may indicate ransomware deployment preparation.