rhysida
· Published 20/12/2025 08:53 · Modified 21/12/2025 18:19
· Source: Ransomware.Live
Essential information
- Confidence
- 100/100
- Published
- 20/12/2025 08:53
- Modified
- 21/12/2025 18:19
- Updated at
- 21/12/2025 18:19
- Revoked
- No
- Author / Source
- Ransomware.Live
- Resource level
- —
- Primary motivation
- —
- Related entities
- 2 reports, 32 attack patterns (mitre), 6 malware, 2 sectors, 2 countries, 155 indicators, 3 organization
Description
Rhysida is a ransomware-as-a-service (RAAS) group that emerged in May 2023. The group utilizes a namesake ransomware through phishing attacks and Cobalt Strike to breach the targets' networks and deploy their payloads.<br> <br> The group threatens to publicly distribute exfiltrated data if the ransom is not paid, and it's worth mentioning that Rhysida is still in the early stages of development.<br> <br> The ransomware leaves PDF notes in the affected folders, instructing victims to contact the group through its portal, and payment is made via Bitcoin.<br> <br> After encryption, the ransomware appends the extension '.ryshida' to encrypted files.<BR>Source: https://github.com/crocodyli/ThreatActors-TTPs
Marking (TLP)
TLP:CLEAR
Labels
ransomware
Related entities
Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.
Reports (2)
-
10 MITREs 2 Malwares 200 Observables 1 APT
-
14 MITREs 4 Malwares 106 Observables 1 APT
Attack patterns (MITRE) (32)
-
T1053.005 usesScheduled Task MITRE
-
T1588.004 usesDigital Certificates MITRE
-
T1059.001 usesPowerShell MITRE
-
T1071 usesApplication Layer Protocol MITRE
-
T1068 usesExploitation for Privilege Escalation MITRE
-
T1140 usesDeobfuscate/Decode Files or Information MITRE
-
T1078 usesValid Accounts MITRE
-
T1583.003 usesVirtual Private Server MITRE
-
T1059 usesCommand and Scripting Interpreter MITRE
-
T1547 usesBoot or Logon Autostart Execution MITRE
-
T1115 usesClipboard Data MITRE
-
T1204.002 usesMalicious File MITRE
Malware (6)
-
OysterLoader usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
CleanUpLoader usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Latrodectus usesThe MITRE Corporation Confidence 100
[Latrodectus](https://attack.mitre.org/software/S1160) is a Windows malware downloader that has been used since at least 2023 to download and execute additional payloads and modules. [Latrodectus](https://attack.mitre.org/software/S1160) has most often been distributed…
First seen 01/01/1970 · Last seen 16/11/5138 · -
ChrGetPdsi usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Rhysida usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
PortStarter usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Sectors (2)
-
Manufacturing targets
-
Government targets
Countries (2)
-
United States of America targets
-
Chile targets
Indicators (155)
-
3654c9585f3e86fe347b078cf44a35b6f8deb1516cdcd84e19bf3965ca86a95bindicates -
stix 100/100· Valid until 30/10/2026 · Source: AlienVault
-
cd671cfa42714a6d517476add60690081a16a5c6abaacce25fcb9c5ddf41b7d3indicates -
metalforthecoredream.comindicatesstix 100/100 Revoked· Valid until 06/08/2025 · Source: AlienVault -
89ac3ba2bb3811358ecdfbfcdd3cac4c4bca9e7c2bd65303e3d9c338aa0b8888indicates -
b0b384818cb093d0324c4676faf163aee95be6639399ad2e6bc805d4ba9d0856indicates -
stix 100/100· Valid until 30/10/2026 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 06/10/2025 · Source: AlienVault
-
32d8e4285515e9926da32796f3f8d743db7a410d0758e1237bd750428389ae23indicates -
stix 100/100· Valid until 16/10/2026 · Source: AlienVault
-
09a25de9db895d3f49c285485fd7ce14fa547ad6601e2dcf9aff47d75b147ad0indicates
Organization (3)
-
Larry Pitt & Associates targets
-
Falk, Waas, Hernandez, Cortina, Solomon & Bonner Overview Metrics targets
-
Charles Leonard Steel Services targets