rhysida
· Published 20/12/2025 08:53 · Modified 21/12/2025 18:19
· Source: Ransomware.Live
Essential information
- Confidence
- 100/100
- Published
- 20/12/2025 08:53
- Modified
- 21/12/2025 18:19
- Updated at
- 21/12/2025 18:19
- Revoked
- No
- Author / Source
- Ransomware.Live
- Resource level
- —
- Primary motivation
- —
- Related entities
- 2 reports, 32 attack patterns (mitre), 6 malware, 2 sectors, 2 countries, 155 indicators, 3 organization
Description
Rhysida is a ransomware-as-a-service (RAAS) group that emerged in May 2023. The group utilizes a namesake ransomware through phishing attacks and Cobalt Strike to breach the targets' networks and deploy their payloads.<br> <br> The group threatens to publicly distribute exfiltrated data if the ransom is not paid, and it's worth mentioning that Rhysida is still in the early stages of development.<br> <br> The ransomware leaves PDF notes in the affected folders, instructing victims to contact the group through its portal, and payment is made via Bitcoin.<br> <br> After encryption, the ransomware appends the extension '.ryshida' to encrypted files.<BR>Source: https://github.com/crocodyli/ThreatActors-TTPs
Marking (TLP)
TLP:CLEAR
Labels
ransomware
Related entities
Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.
Reports (2)
-
10 MITREs 2 Malwares 200 Observables 1 APT
-
14 MITREs 4 Malwares 106 Observables 1 APT
Attack patterns (MITRE) (32)
-
T1219 usesRemote Access Tools MITRE
-
T1055 usesProcess Injection MITRE
-
T1566.002 usesSpearphishing Link MITRE
-
T1583.001 usesDomains MITRE
-
T1190 usesExploit Public-Facing Application MITRE
-
T1587.001 usesMalware MITRE
-
T1553.002 usesCode Signing MITRE
-
T1027 usesObfuscated Files or Information MITRE
-
T1203 usesExploitation for Client Execution MITRE
-
T1078.003 usesLocal Accounts MITRE
-
T1133 usesExternal Remote Services MITRE
-
T1027.002 usesSoftware Packing MITRE
Malware (6)
-
OysterLoader usesFamily
-
CleanUpLoader usesFamily
-
Latrodectus usesThe MITRE Corporation Confidence 100
[Latrodectus](https://attack.mitre.org/software/S1160) is a Windows malware downloader that has been used since at least 2023 to download and execute additional payloads and modules. [Latrodectus](https://attack.mitre.org/software/S1160) has most often been distributed…
First seen 01/01/1970 · Last seen 16/11/5138 · -
ChrGetPdsi usesFamily
-
Rhysida usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
PortStarter usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Sectors (2)
-
Manufacturing targets
-
Government targets
Countries (2)
-
United States of America targets
-
Chile targets
Indicators (155)
-
a18489fcf785fff454dc2df15ca8e4b6b411de2505ffb732e8100ad9f87bf722indicates -
stix 100/100· Valid until 30/10/2026 · Source: AlienVault
-
34605c0dfbabf7ce8836091dc760a073da37f1ab35ef3e33f13117bcf044d07eindicates -
f994a1ba402bc29ac7f770d5d11772de6e2575895f50850d7ee9808c484dadcdindicates -
32b0f69e2d046cb835060751fcda28b633cbbd964e6e54dbbc1482fff4d51b57indicates -
stix 100/100· Valid until 30/10/2026 · Source: AlienVault
-
b61b51ba6ad7f7fe6465093a7c3f3f10d1079159febe33efb26fd64fa80408f1indicates -
0851fd5671640a9acaf688e2886570759364135915f272d4ff7946fe001b3f4cindicates -
167405ea2fcbf5e6634bc2562872493d035941a7b93194b58f5a60053f1fba86indicates -
d7ba9881345d71862a68080d210643e2c2d3e17fd13065385edcd3b3391898c3indicates -
401e3fe6d27a438016a82c4bbc710dfca5ff3c8f533f5eadc7393ce4f1c2d498indicates -
2a70db4e14fca6d80ce90c21954323299f8c32bc6fabd67744896af4ee8809b7indicates
Organization (3)
-
Larry Pitt & Associates targets
-
Falk, Waas, Hernandez, Cortina, Solomon & Bonner Overview Metrics targets
-
Charles Leonard Steel Services targets