{
	"id": "564f61f5-579c-4668-94f0-4d32daaf28a7",
	"created_at": "2026-04-06T00:17:27.795169Z",
	"updated_at": "2026-04-10T13:12:33.285932Z",
	"deleted_at": null,
	"sha1_hash": "0a0a29b36cf69a9e481cf6a77a5095b2560f15f5",
	"title": "The Rhysida Ransomware: Activity Analysis and Ties to Vice Society - Check Point Research",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 88275,
	"plain_text": "The Rhysida Ransomware: Activity Analysis and Ties to Vice\r\nSociety - Check Point Research\r\nBy bferrite\r\nPublished: 2023-08-08 · Archived: 2026-04-05 13:13:39 UTC\r\nIntroduction\r\nThe Rhysida ransomware group was first revealed in May this year, and since then has been linked to several\r\nimpactful intrusions, including an attack on the Chilean Army. Recently the group was also tied to an attack\r\nagainst Prospect Medical Holdings, affecting 17 hospitals and 166 clinics across the United States. After this\r\nattack, the US Department of Health and Human Services defined Rhysida as a significant threat to the healthcare\r\nsector.\r\nWhile responding to a recent Rhysida ransomware case against an educational institution, the Check Point\r\nIncident Response Team (CPIRT), in collaboration with Check Point Research (CPR), observed a set of unique\r\nTechniques, Tactics and Tools (TTPs). During our analysis, we identified significant similarities to the TTPs of\r\nanother ransomware group – Vice Society. Vice Society was one of the most active and aggressive ransomware\r\ngroups since 2021, mostly targeting the education and healthcare sectors. For example, Vice Society was\r\nresponsible for the attack against the Los Angeles Unified School District.\r\nAs a connection between Vice Society and Rhysida was suggested recently, we bring forth technical evidence to\r\nstrengthen the connection. Our analysis shows both a technical similarity between the two groups, and a clear\r\ncorrelation between the emergence of Rhysida and the disappearance of Vice Society. In addition, the two groups\r\nshare a focus on two main sectors which stand out in the ransomware ecosystem: education and healthcare.\r\nAs Vice Society was observed deploying a variety of commodity ransomware payloads, this link does not suggest\r\nthat Rhysida is exclusively used by Vice Society, but shows with at least medium confidence that Vice Society\r\noperators are now using Rhysida ransomware.\r\nTactics, Techniques and Procedures\r\nAs the Rhysida ransomware payload was thoroughly analyzed before, we will focus on the TTPs leading to its\r\ndeployment, specifically on Lateral Movement, Credential Access, Defense Evasion, Command and Control, and\r\nImpact.\r\nBased on the evidence we have, the time to ransom (TTR) of the actors employing Rhysida ransomware is\r\nrelatively low. It has been eight days from the first signs of lateral movement to the widespread ransomware\r\ndeployment.\r\nLateral Movement\r\nhttps://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/\r\nPage 1 of 6\n\nThe attackers used a variety of tools to perform lateral movement, including:\r\nRemote Desktop Protocol – Throughout the intrusion, the threat actor initiated RDP connections, and took\r\nadditional steps to deliberately remove associated logs and registry entries to harden detection and analysis\r\nefforts (as described in the Defense Evasion section). RDP remains an effective approach to performing\r\nlateral movement within the environment.\r\nRemote PowerShell Sessions (WinRM) – While connected remotely via RDP, the threat actor was\r\nobserved initiating remote PowerShell connections to servers within the environment. This happened in the\r\ndays before the ransomware payload was deployed.\r\nPsExec – The ransomware payload itself was deployed using PsExec from a server within the\r\nenvironment. The deployment happened in two phases.\r\nCopying the malicious payload using the command PsExec.exe -d \\\\VICTIM_MACHINE -u\r\n\"DOMAIN\\ADMIN\" -p \"Password\" -s cmd /c COPY \"\\\\path_to_ransomware\\payload.exe\"\r\n\"C:\\windows\\temp\" .\r\nExecuting the malicious payload using the command PsExec.exe -d \\\\VICTIM_MACHINE -u\r\n\"DOMAIN\\ADMIN\"\" -p \"Password\" -s cmd /c c:\\windows\\temp\\payload.exe .\r\nCredential Access\r\nMost notably, the threat actor used ntdsutil.exe to create a backup of NTDS.dit in a folder name temp_l0gs . This\r\npath was utilized by the actor multiple times. In addition to those, the threat actor has enumerated Domain\r\nAdministrator accounts and attempted to log in using some of them.\r\nCommand and Control\r\nThe threat actors have utilized several backdoors and tools for persistence, including:\r\nSystemBC – In a successful PowerShell session, the attacker executed a SystemBC PowerShell implant\r\n(very similar to the implant described here) which maintains persistence by installing a registry run key\r\nnamed socks to execute the script on startup. The implant reaches out to 5.255.103[.]7 . Additionally, the\r\nthreat actor set up a firewall rule named Windows Update to allow outbound traffic to another server,\r\n5.226.141[.]196 .\r\nAnyDesk – The threat actor was observed using the remote management tool AnyDesk.\r\nDefense Evasion\r\nThroughout the activity, the threat actors consistently deleted logs and forensic artifacts following their activity.\r\nThis includes:\r\nDeleting the history of recently used files and folders.\r\nDeleting a list of recently executed programs.\r\nDeleting the history of recently typed paths in File Explorer.\r\nDeleting PowerShell console history file.\r\nDeleting all files and folders within the current user’s temporary folder.\r\nhttps://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/\r\nPage 2 of 6\n\nFollowing RDP sessions, the threat actor also deleted RDP-specific logs by:\r\nSearching for all subkeys under “ HKCU:\\Software\\Microsoft\\Terminal Server Client ” in the Windows\r\nRegistry, and for each subkey, removing the “ UsernameHint ” value if it exists.\r\nDeleting Default.rdp from the users’ Documents folder.\r\nImpact\r\nOn the day of ransomware deployment, the threat actor utilized the access provided by AnyDesk to widely deploy\r\nthe ransomware payload in the environment using PsExec:\r\nAccount Access Removal – The threat actor initiated a password change for tens of thousands of accounts\r\nin the domain to harden remediation efforts.\r\nInhibit System Recovery – Before deploying the ransomware payload, the threat actor attempted to\r\ndeploy a PowerShell script with a wide variety of capabilities, including:\r\nChanging all local passwords to a predefined password.\r\nKilling services related to database systems, backup software, and security products.\r\nDisabling Windows Defender and creating exclusions for it.\r\nDeleting shadow copies with both wmic.exe and vssadmin.exe.\r\nChanging the default RDP port to 4000 and creating a firewall rule for it.\r\nDeleting all Windows event logs and PowerShell history.\r\nData Encryption – The threat actor ended up deploying the Rhysida ransomware payload using PsExec,\r\nas described above.\r\nThe Vice Society Connection\r\nThroughout our analysis of Rhysida ransomware TTPs and infrastructure, we found several similarities to another\r\ninfamous ransomware group: Vice Society, which was observed changing ransomware payloads over time. A\r\npossible link between Vice Society and Rhysida has been recently suggested. Here we will present additional\r\nevidence supporting this claim.\r\nTechniques, Tools and Infrastructure\r\nMany of the techniques described above are highly correlated with previous Vice Society intrusions as described\r\nby Microsoft and Intrinsec. Some of them might appear quite generic for Ransomware operators, but were utilized\r\nin very specific ways, including specific paths, which are not common:\r\nUtilization of NTDSUtil the create a backup of NTDS.dit to a folder named temp_l0gs . The same path\r\nwas reported to be used by Vice Society.\r\nCreation of a local Firewall rule using New-NetFirewallRule named Windows Update to facilitate traffic\r\nrelaying using SystemBC, a commodity malware. SystemBC was executed through the registry Run key,\r\nstored under the value socks.\r\nInitiation of a domain-wide password change process before deployment of ransomware payload.\r\nAnalysis of infrastructure related to a Rhysida incident surfaced a set of PortStarter samples, some of them\r\npreviously attributed to Vice Society. Although PortStarter is often described as a commodity tool, its usage\r\nhttps://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/\r\nPage 3 of 6\n\nhas been linked almost exclusively to Vice Society in public reports.\r\nVictimology\r\nIn addition to technical similarity, there is also a correlation between the emergence of Rhysida and a significant\r\ndecline in Vice Society activity. Based on information from both Rhysida and Vice Society leak sites, we\r\nconstructed a timeline displaying extortion announcements of the two groups.\r\nEver since Rhysida first appeared, Vice Society has only published two victims. It’s likely that those were\r\nperformed earlier and were only published in June. Vice Society actors stopped posting on their leak site since\r\nJune 21, 2023.\r\nFigure 1 – Distribution of Rhysida and Vice Society victims over time.\r\nIn addition, we also noticed similarities in the targeted sectors affected by the two groups, which are well known\r\nfor targeting the education and healthcare industries. The high portion of victims in the education industry stands\r\nout as unique for both groups in the entire ransomware ecosystem:\r\nhttps://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/\r\nPage 4 of 6\n\nFigure 2 – Distribution of Rhysida victims per industry sector.\r\nFigure 3 – Distribution of Vice Society victims per industry sector.\r\nConclusion\r\nOur analysis of Rhysida ransomware intrusions reveals clear ties between the group and the infamous Vice\r\nSociety, but it also reveals a grim truth – the TTPs of prolific ransomware actors remain largely unchanged. Major\r\nhttps://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/\r\nPage 5 of 6\n\nportions of the activity we’ve observed could have been used, and have been used, to deploy any ransomware\r\npayload by any ransomware group.\r\nThis highlights the importance of understanding not just the operation of a ransomware payload, but the entire\r\nprocess leading to its deployment. From the usage of remote management tools such as AnyDesk to the\r\ndeployment of ransomware through PsExec, threat actors leverage a variety of tools to facilitate such attacks.\r\nClosely monitoring the activity of those could help in preventing the next ransomware attack.\r\nCheck Point Software customers remain protected against Rhysida ransomware.\r\nCheck Point Threat Emulation and Harmony Endpoint provide comprehensive coverage of attack tactics and file\r\ntypes and is protecting against the type of attacks and threats described in this report.\r\nSource: https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/\r\nhttps://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/"
	],
	"report_names": [
		"the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society"
	],
	"threat_actors": [
		{
			"id": "a6814184-2133-4520-b7b3-63e6b7be2f64",
			"created_at": "2025-08-07T02:03:25.019385Z",
			"updated_at": "2026-04-10T02:00:03.859468Z",
			"deleted_at": null,
			"main_name": "GOLD VICTOR",
			"aliases": [
				"DEV-0832 ",
				"STAC5279 ",
				"Vanilla Tempest ",
				"Vice Society",
				"Vice Spider "
			],
			"source_name": "Secureworks:GOLD VICTOR",
			"tools": [
				"Advanced IP Scanner",
				"Advanced Port Scanner",
				"HelloKitty ransomware",
				"INC ransomware",
				"MEGAsync",
				"Neshta",
				"PAExec",
				"PolyVice ransomware",
				"PortStarter",
				"PsExec",
				"QuantumLocker ransomware",
				"Rhysida ransomware",
				"Supper",
				"SystemBC",
				"Zeppelin ransomware"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "84aa9dbe-e992-4dce-9d80-af3b2de058c0",
			"created_at": "2024-02-02T02:00:04.041676Z",
			"updated_at": "2026-04-10T02:00:03.537352Z",
			"deleted_at": null,
			"main_name": "Vanilla Tempest",
			"aliases": [
				"DEV-0832",
				"Vice Society"
			],
			"source_name": "MISPGALAXY:Vanilla Tempest",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434647,
	"ts_updated_at": 1775826753,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0a0a29b36cf69a9e481cf6a77a5095b2560f15f5.pdf",
		"text": "https://archive.orkl.eu/0a0a29b36cf69a9e481cf6a77a5095b2560f15f5.txt",
		"img": "https://archive.orkl.eu/0a0a29b36cf69a9e481cf6a77a5095b2560f15f5.jpg"
	}
}