rhysida
· Published 20/12/2025 08:53 · Modified 21/12/2025 18:19
· Source: Ransomware.Live
Essential information
- Confidence
- 100/100
- Published
- 20/12/2025 08:53
- Modified
- 21/12/2025 18:19
- Updated at
- 21/12/2025 18:19
- Revoked
- No
- Author / Source
- Ransomware.Live
- Resource level
- —
- Primary motivation
- —
- Related entities
- 2 reports, 32 attack patterns (mitre), 6 malware, 2 sectors, 2 countries, 155 indicators, 3 organization
Description
Rhysida is a ransomware-as-a-service (RAAS) group that emerged in May 2023. The group utilizes a namesake ransomware through phishing attacks and Cobalt Strike to breach the targets' networks and deploy their payloads.<br> <br> The group threatens to publicly distribute exfiltrated data if the ransom is not paid, and it's worth mentioning that Rhysida is still in the early stages of development.<br> <br> The ransomware leaves PDF notes in the affected folders, instructing victims to contact the group through its portal, and payment is made via Bitcoin.<br> <br> After encryption, the ransomware appends the extension '.ryshida' to encrypted files.<BR>Source: https://github.com/crocodyli/ThreatActors-TTPs
Marking (TLP)
TLP:CLEAR
Labels
ransomware
Related entities
Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.
Reports (2)
-
10 MITREs 2 Malwares 200 Observables 1 APT
-
14 MITREs 4 Malwares 106 Observables 1 APT
Attack patterns (MITRE) (32)
Malware (6)
-
OysterLoader usesFamily
-
CleanUpLoader usesFamily
-
Latrodectus usesFamily
-
ChrGetPdsi usesFamily
-
Rhysida usesFamily
-
PortStarter usesFamily
Sectors (2)
-
Manufacturing targets
-
Government targets
Countries (2)
-
United States of America targets
-
Chile targets
Indicators (155)
-
87c787ea53a4dad92afd36c13a4fc5da7af1ea8dbe5634e4e3b011f289c9c91bindicates -
d4e4deab561d478084ac29751e5073de9b7ffd55fa8b408c5c76fedd3fe02f6cindicates -
e45802322835286cfe3993fe8e49a793acd705755d57d8fc007341bf3b842518indicates -
0220083d724fdb8a406d3e780497561590804281indicates -
910d5d87a5ca499523607e4a7455059e7bed48d5b9889a696f5c13fe0aa6fe60indicates -
dcd82f7f01855769e9a2dad934be7231d6a7c50254077c094f4c3324daeed715indicates -
0c89de2e1d6449ab5c192d383ebb2bfbb3df4fd6c1f2beaff9804b8e10cc0db0indicates -
382af3f71da0480e279fc7be35159aba4cd0ff303672ac9b506031d0d0825b36indicates -
prodfindfeatures.comindicates -
88e9c1f5026834ebcdaed98f56d52b5f23547ac2c03aa43c5e50e7d8e1b82b3aindicates -
37d0bda4af155625931d030c23594d450a272549ddb32380d3c5ee94feb03a25indicates -
teams-install.icuindicates
Organization (3)
-
Larry Pitt & Associates targets
-
Falk, Waas, Hernandez, Cortina, Solomon & Bonner Overview Metrics targets
-
Charles Leonard Steel Services targets