1. Overview
Rhysida is a double extortion ransomware group first identified in May 2023. Operating under a semi-professionalised model, Rhysida has quickly established a reputation for targeting public institutions, healthcare systems, educational bodies, and increasingly, private sector enterprises. The group combines data theft and encryption with public pressure via a high-profile leak site that prominently features victim logos and countdowns to full data disclosure.
Rhysida’s operations are marked by an unusual combination of opportunistic targeting and ideologically themed messaging. While its precise motivations remain unclear, its activities—particularly attacks on government and civic organisations—have led some analysts to question whether there may be political or ideological drivers alongside financial incentives.
2. Origin and Evolution
Rhysida appeared in the wild in May 2023, initially through attacks on Latin American and European public health services. The group’s early campaigns involved basic payloads and minimal lateral movement, but subsequent intrusions demonstrated increasingly refined tooling, scripting, and encryption methods.
Notably, Rhysida positions itself in its ransom notes as a “cybersecurity team” claiming to help organisations uncover their flaws—a message reminiscent of earlier pseudo-ethical ransomware groups. However, its demand for payment in cryptocurrency and its aggressive leak strategy confirm that extortion is the primary objective.
In late 2023, the group made headlines for attacks on healthcare systems in Portugal and the United States, as well as universities in the UK and Australia.
3. Tactics, Techniques, and Procedures (TTPs)
Rhysida’s attack chain aligns with standard ransomware operations but shows signs of increasing maturity:
- Initial Access:
Phishing emails with malicious attachments (T1566.001), credential compromise (T1078), and abuse of exposed remote services (T1133) such as RDP or VPN portals. - Lateral Movement:
Use of Cobalt Strike, RDP, WMI, and PsExec for internal movement (T1021), combined with credential dumping via Mimikatz and LSASS access (T1003). - Data Exfiltration:
Targeted exfiltration using Rclone, WinSCP, or MEGASync. Data is typically staged in compressed archives and removed before encryption begins (T1041). - Encryption:
AES-based file encryption with.rhysidaextensions added. Ransom notes reference TOR-based portals and include political rhetoric alongside decryption and payment instructions. - Persistence & Evasion:
The group uses scheduled tasks, registry modification (T1112), and volume shadow copy deletion (T1490). Behavioural evasion includes staging through system-native tools and LOLBins.
4. Targeting Profile
Rhysida has shown a particular interest in public-facing organisations, especially those whose disruption would result in political, healthcare, or reputational pressure. Targeted sectors include:
- Healthcare providers and hospitals
- Municipal and regional governments
- Universities and research institutions
- Transport and public services
- Education-focused charities and NGOs
UK organisations have already been named on Rhysida’s leak site, including higher education institutions and public sector contractors. The group also appears to favour organisations with legacy infrastructure or poor segmentation.
5. Notable Campaigns and Victims
Confirmed Rhysida attacks to date include:
- Portuguese national healthcare provider (SNS): Patient data and internal documents leaked.
- Minneapolis Public Schools (USA): Over 300GB of staff and student data posted online.
- UK universities and further education colleges: Including leaked administrative data, contracts, and credentials.
- Chilean military and police systems: Internal records exfiltrated, some politically sensitive.
These incidents often result in both operational disruption and GDPR breach notification obligations for European victims.
6. Ransomware and Leak Site Behaviour
Rhysida maintains an active and visually aggressive leak site on the dark web, featuring:
- Victim branding and name
- Countdown timers to full data publication
- Sample data sets for download
- Links to mirror sites and alternative access portals
The group uses public humiliation and reputational pressure to coerce payment, often referencing government accountability, press interest, or legal consequences in its ransom notes. Demands typically range from £100,000 to over £1 million, depending on the victim’s size and perceived sensitivity of the data.
7. Technical Indicators
Known indicators of Rhysida activity include:
- File extensions:
.rhysida - Ransom notes named
Critical_Readme.txtorSecurityAlert.txt - Use of
rclone.exe,winscp.exe, and password-protected archives - Scheduled tasks triggering custom payloads from
%TEMP%or%APPDATA% - Connections to known TOR nodes and bulletproof infrastructure in Russia and Southeast Asia
IOC packs and detection rules are maintained and updated by UK Cyber Defence Ltd.
8. Defensive Measures and Recommendations
To protect against Rhysida, organisations should:
- Enforce MFA for all external access and privileged accounts
- Patch VPN, RDP, and web services regularly
- Monitor for suspicious archive creation, outbound data transfers, and shadow copy manipulation
- Deploy EDR/XDR solutions with script-blocking and behavioural analytics
- Maintain offline, immutable backups of all critical systems
- Run regular incident response drills that simulate public sector-targeted ransomware
9. Attribution and Alliances
There is no definitive nation-state linkage for Rhysida. While the group presents itself with politically charged rhetoric, current analysis suggests it is a financially driven operation, possibly using ideology as a secondary pressure tactic.
Rhysida does not appear to run an open RaaS programme, though its tooling and operational tempo imply a small but well-coordinated internal team. Infrastructure overlap has been noted with Vice Society and LockBit, though these links remain speculative.
10. Conclusion
Rhysida represents a growing threat, particularly to UK public institutions, NGOs, and mid-sized enterprises lacking the cyber resilience of larger organisations. Its tactics blend encryption, targeted exfiltration, and reputational coercion, making it both technically dangerous and publicly damaging.
As the group continues to refine its operations and expand its reach, UK organisations must enhance visibility, enforce strong access controls, and prepare for the reputational risks of double extortion.
Author:
Threat Intelligence Team, UK Cyber Defence Ltd
All intelligence current as of May 2025
