{
	"id": "98a3dba8-bc3e-46af-a2cc-403985e347c0",
	"created_at": "2026-04-06T00:08:43.941576Z",
	"updated_at": "2026-04-10T03:22:04.478553Z",
	"deleted_at": null,
	"sha1_hash": "4bdb21fb684d1125147ad52206fbbf9ab301f1cd",
	"title": "An Overview of the New Rhysida Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 446678,
	"plain_text": "An Overview of the New Rhysida Ransomware\r\nBy By: Trend Micro Research Aug 09, 2023 Read time: 7 min (1936 words)\r\nPublished: 2023-08-09 · Archived: 2026-04-05 14:47:49 UTC\r\nRansomware\r\nAn Overview of the New Rhysida Ransomware Targeting the Healthcare Sector\r\nIn this blog entry, we will provide details on Rhysida, including its targets and what we know about its infection\r\nchain.\r\nUpdated on August 9, 2023, 9:30 a.m. EDT: We updated the entry to include an analysis of current Rhysida\r\nransomware samples’ encryption routine.  \r\nUpdated on August 14, 2023, 6:00 a.m. EDT: We updated the entry to include Trend XDR workbench alerts for\r\nRhysida and its components.\r\nIntroduction\r\nOn August 4, 2023, the HHS’ Health Sector Cybersecurity Coordination Center (HC3) released a security\r\nalertopen on a new tab about a relatively new ransomware called Rhysida (detected as\r\nRansom.PS1.RHYSIDA.SM), which has been active since May 2023. In this blog entry, we will provide details\r\non Rhysida, including its targets and what we know about its infection chain.\r\nWho is behind the Rhysida ransomware?\r\nNot much is currently known about the threat actors behind Rhysida in terms of origin or affiliations. According to\r\nthe HC3 alert, Rhysida poses itself as a “cybersecurity team” that offers to assist victims in finding security\r\nweaknesses within their networks and system. In fact, the group’s first appearance involved the use of a victim\r\nchat support portal.\r\nWho are Rhysida’s targets?\r\nAs mentioned earlier, Rhysida, which was previously known for targeting the education, government,\r\nmanufacturing, and tech industries, among others — has begun conducting attacks on healthcare and public health\r\norganizations. The healthcare industry has seen an increasing number of ransomware attacksopen on a new tab\r\nover the past five years.  This includes a recent incidentopen on a new tab involving Prospect Medical Holdings, a\r\nCalifornia-based healthcare system, that occurred in early August (although the group behind the attack has yet to\r\nbe named as of writing).\r\nData from Trend Micro™ Smart Protection Network™ (SPN) shows a similar trend, where detections from May\r\nto August 2023 show that its operators are targeting multiple industries rather than focusing on just a single sector.\r\nhttps://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html\r\nPage 1 of 10\n\nThe threat actor also targets organizations around the world, with SPN data showing several countries where\r\nRhysida binaries were detected, including Indonesia, Germany, and the United States.\r\nopen on a new tab\r\nFigure 1. The industry and country detection count for Rhysida ransomware based on Trend SPN\r\ndata from May to August 2023\r\nHow does a Rhysida attack proceed?\r\nRhysida ransomware usually arrives on a victim’s machine via phishing lures, after which Cobalt Strike is used\r\nfor lateral movement within the system.\r\nAdditionally, our telemetry shows that the threat actors execute PsExec to deploy PowerShell scripts and the\r\nRhysida ransomware payload itself. The PowerShell script (g.ps1), detected as Trojan.PS1.SILENTKILL.A, is\r\nused by the threat actors to terminate antivirus-related processes and services, delete shadow copies, modify\r\nremote desktop protocol (RDP) configurations, and change the active directory (AD) password.\r\nInterestingly, it appears that the script (g.ps1) was updated by the threat actors during execution, eventually\r\nleading us to a PowerShell version of the Rhysida ransomware.\r\nRhysida ransomware employs a 4096-bit RSA key and AES-CTR for file encryption, which we discuss in detail in\r\na succeeding section. After successful encryption, it appends the .rhysida extension and drops the ransom note\r\nCriticalBreachDetected.pdf.\r\nThis ransom note is fairly unusual — instead of an outright ransom demand as seen in most ransom notes from\r\nother ransomware families, the Rhysida ransom note is presented as an alert from the Rhysida “cybersecurity\r\nteam” notifying victims that their system has been compromised and their files encrypted. The ransom demand\r\ncomes in the form of a “unique key” designed to restore encrypted files, which must be paid for by the victim.\r\nhttps://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html\r\nPage 2 of 10\n\nSummary of malware and tools used by Rhysida\r\nMalware: RHYSIDA, SILENTKILL, Cobalt Strike\r\nTools: PsExec\r\nInitial Access Phishing\r\nBased on external reports, Rhysida uses phishing lures for\r\ninitial access\r\nLateral\r\nMovement\r\nPsExec Microsoft tool used for remote execution\r\nCobalt Strike 3\r\nrd\r\n party tool abused for lateral movement\r\nDefense\r\nEvasion\r\nSILENTKILL\r\nMalware deployed to terminate security-related processes and\r\nservices, delete shadow copies, modify RDP configurations,\r\nand change the AD password\r\nImpact Rhysida ransomware Ransomware encryption\r\nTable 1. A summary of the malware, tools, and exploits used by Rhysida\r\nA closer look at Rhysida’s encryption routine \r\nAfter analyzing current Rhysida samples, we observed that the ransomware uses LibTomCryptopen on a new tab,\r\nan open-source cryptographic library, to implement its encryption routine. Figure 3 shows the procedures Rhysida\r\nfollows when initializing its encryption parameters. \r\nFigure 3. Rhysida’s parameters for encryption\r\nRhysida uses LibTomCrypt’s pseudorandom number generator (PRNG) functionalities for key and initialization\r\nvector (IV) generation. The init_prng function is used to initialize PRNG functionalities as shown in Figure 4. The\r\nsame screenshot also shows how the ransomware uses the library’s ChaCha20 PRNG functionality.\r\nhttps://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html\r\nPage 3 of 10\n\nFigure 4. Rhysida’s use of the “init_prng” function\r\nAfter the PRNG is initialized, Rhysida then proceeds to import the embedded RSA key and declares the\r\nencryption algorithm it will use for file encryption:\r\n \r\nIt will use the register_cipher function to “register” the algorithm (in this case, aes), to its table of usable\r\nciphers.\r\n \r\nIt will use the find_cipher function to store the algorithm to be used (still aes), in the variable CIPHER.\r\nAfterward, it will proceed to also register and declare aes for its Cipher Hash Construction (CHC) functionalities. \r\nBased on our analysis, Rhysida’s encryption routine follows these steps:\r\n1. After it reads file contents for encryption, it will use the initialized PRNG’s function, chacha20_prng_read,\r\nto generate both a key and an IV that are unique for each file.\r\n2. It will use the ctr_start function to initialize the cipher that will be used, which is aes (from the variable\r\nCIPHER), in counter or CTR mode.\r\n3. The generated key and IV are then encrypted with the rsa_encrypt_key_ex function.\r\n4. Once the key and IV are encrypted, Rhysida will proceed to encrypt the file using LibTomCrypt’s\r\nctr_encrypt function.\r\nhttps://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html\r\nPage 4 of 10\n\nFigure 5. Rhysida’s encryption routine\r\nHow can organizations protect themselves from Rhysida and other ransomware\r\nfamilies?\r\nAlthough we are still in the process of fully analyzing Rhysida ransomware and its tools, tactics, and procedures\r\n(TTPs), the best practices for defending against ransomware attacks still holds true for Rhysida and other\r\nransomware families.\r\nHere are several recommended measures that organizations implement to safeguard their systems from\r\nransomware attacks:\r\nCreate an inventory of assets and data\r\nReview event and incident logs\r\nManage hardware and software configurations.\r\nGrant administrative privileges and access only when relevant to an employee's role and responsibilities.\r\nEnforce security configurations on network infrastructure devices like firewalls and routers.\r\nEstablish a software whitelist permitting only legitimate applications\r\nPerform routine vulnerability assessments\r\nApply patches or virtual patches for operating systems and applications\r\nKeep software and applications up to date using their latest versions\r\nIntegrate data protection, backup, and recovery protocols\r\nEnable multifactor authentication (MFA) mechanisms\r\nUtilize sandbox analysis to intercept malicious emails\r\nRegularly educate and evaluate employees' security aptitude\r\nDeploy security tools (such as XDR) which are capable of detecting abuse of legitimate applications\r\nIndicators of compromise\r\nThe indicators of compromise for this entry can be found here.\r\nhttps://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html\r\nPage 5 of 10\n\nInitial\r\nAccess\r\nT1566 Phishing\r\nBased on external reports, Rhysida uses phishing lures for\r\ninitial access.\r\nExecution\r\nT1059.003 Command\r\nand Scripting\r\nInterpreter: Windows\r\nCommand Shell\r\nIt uses cmd.exe to execute commands for execution.\r\nT1059.001 Command\r\nand Scripting\r\nInterpreter: PowerShell\r\nIt uses PowerShell to create scheduled task named Rhsd\r\npointing to the ransomware.\r\nPersistence\r\nT1053.005 Scheduled\r\nTask/Job: Scheduled\r\nTask\r\nWhen executed with the argument -S, it will create a\r\nscheduled task named Rhsd that will execute the\r\nransomware\r\nDefense\r\nEvasion\r\nT1070.004 Indicator\r\nRemoval: File Deletion\r\nRhysida ransomware deletes itself after execution. The\r\nscheduled task (Rhsd) created would also be deleted after\r\nexecution.\r\nT1070.001 Indicator\r\nRemoval: Clear\r\nWindows Event Logs\r\nIt uses wevtutil.exe to clear Windows event logs.\r\nDiscovery\r\nT1083 File and\r\nDirectory Discovery\r\nIt enumerates and looks for files to encrypt in all local\r\ndrives.\r\nT1082 System\r\nInformation Discovery\r\nObtains the following information:\r\nNumber of processors\r\nSystem information\r\nImpact T1490 Inhibit System\r\nRecovery\r\nIt executes uses vssadmin to remove volume shadow copies\r\nT1486 Data Encrypted\r\nfor Impact It uses a 4096-bit RSA key and Cha-cha20 for file\r\nencryption.\r\nIt avoids encrypting files with the following strings in their\r\nfile name:\r\n.bat\r\n.bin\r\n.cab\r\nhttps://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html\r\nPage 6 of 10\n\n.cmd\r\n.com\r\n.cur\r\n.diagcab\r\n.diagcfg\r\n.diagpkg\r\n.drv\r\n.dll\r\n.exe\r\n.hlp\r\n.hta\r\n.ico\r\n.msi\r\n.ocx\r\n.ps1\r\n.psm1\r\n.scr\r\n.sys\r\n.ini\r\n.Thumbs.db\r\n.url\r\n.iso\r\nIt avoids encrypting files found in the following folders:\r\n$Recycle.Bin\r\nBoot\r\nDocuments and Settings\r\nPerfLogs\r\nProgramData\r\nRecovery\r\nSystem Volume Information\r\nWindows\r\n$RECYCLE.BIN\r\nApzData\r\nIt appends the following extension to the file name of the\r\nencrypted files:\r\n.rhysida\r\nIt encrypts all system drives from A to Z.\r\nIt drops the following ransom note:\r\nhttps://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html\r\nPage 7 of 10\n\n{Encrypted Directory}\\CriticalBreachDetected.pdf\r\nT1491.001 Defacement:\r\nInternal Defacement\r\nIt changes the desktop wallpaper after encryption and\r\nprevents the user from changing it back by modifying the\r\nNoChangingWallpaper registry value.\r\nTrend Micro solutions Detection Patterns / Policies / Rules\r\nTrend Micro Apex One\r\nTrend Micro Deep Security\r\nTrend Micro Titanium Internet\r\nSecurity\r\nTrend Micro Cloud One\r\nWorkload Security \r\nTrend Micro Worry-Free\r\nBusiness Security Services\r\nRansom.Win64.RHYSIDA.SM\r\nRansom.Win64.RHYSIDA.THEBBBC\r\nRansom.Win64.RHYSIDA.THFOHBC\r\nTrojan.PS1.SILENTKILL.SMAJC\r\nTrojan.PS1.SILENTKILL.A\r\nTrend Micro Apex One\r\nTrend Micro Deep Security\r\nTrend Micro Worry-Free\r\nBusiness Security Services\r\nTrend Micro Titanium Internet\r\nSecurity\r\n \r\nRAN4056T\r\nRAN4052T\r\nTrend Micro Apex One\r\nTrend Micro Deep Discovery\r\nWeb Inspector\r\nDDI Rule ID: 597 - \"PsExec tool detected\"\r\nDDI Rule ID: 1847 - \"PsExec tool detected - Class 2\"\r\nDDI Rule ID: 4524 - \"Possible Renamed PSEXEC Service -\r\nSMB2 (Request)\"\r\nDDI Rule ID: 4466 - \"PsExec Clones - SMB2 (Request)\"\r\nDDI Rule ID: 4571 - \"Possible Suspicious Named Pipe -\r\nSMB2 (REQUEST)\"\r\nDDI Rule ID: 4570 - \"COBALTSTRIKE -\r\nDNS(RESPONSE)\"\r\nDDI Rule ID: 4152 - \"COBALTSTRIKE - HTTP\r\n(Response)\"\r\nDDI Rule ID: 4469 - \"APT - COBALTSRIKE - HTTP\r\n(RESPONSE)\"\r\nDDI Rule ID: 4594 - \"COBALTSTRIKE -\r\nHTTP(REQUEST) - Variant 3\"\r\nhttps://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html\r\nPage 8 of 10\n\nDDI Rule ID: 4153 - \"COBALTSTRIKE - HTTP (Request) -\r\nVariant 2\"\r\nDDI Rule ID: 2341 - \"COBALTSTRIKE - HTTP (Request)\"\r\nDDI Rule ID: 4390 - \"CobaltStrike - HTTPS (Request)\"\r\nDDI Rule ID: 4870 - \"COBEACON DEFAULT NAMED\r\nPIPE - SMB2 (Request)\"\r\nDDI Rule ID: 4861 - \"COBEACON - DNS (Response) -\r\nVariant 3\"\r\nDDI Rule ID: 4860 - \"COBEACON - DNS (Response) -\r\nVariant 2\"\r\nDDI Rule ID: 4391 - \"COBEACON - DNS (Response)\"\r\nTrend Micro Apex One\r\nTrend Micro Deep Security \r\nTrend Micro Worry-Free\r\nBusiness Security Services\r\nTrend Micro Titanium Internet\r\nSecurity\r\nTrend Micro Cloud Edge\r\nTroj.Win32.TRX.XXPE50FFF071\r\nTrend Micro XDR uses the following workbench alerts to protect customers from Rhysida-related attacks:\r\nWorkbench Alert ID\r\nAnomalous Regsvr32 Execution Leading to Cobalt Strike 63758d9f-4405-4ec5-b421-64aef7c85dca\r\nCOBALT C2 Connection afd1fa1f-b8fc-4979-8bf7-136db80aa264\r\nEarly Indicator of Attack via Cobalt Strike\r\n0ddda3c1-dd25-4975-a4ab-b1fa9065568d\r\nLateral Movement of Cobalt Strike Beacon\r\n5c7cdb1d-c9fb-4b1d-b71f-9a916b10b513\r\nPossible Cobalt Strike Beacon\r\n45ca58cc-671b-42ab-a388-\r\nd972ff571d68\r\nPossible Cobalt Strike Beacon Active Directory Database\r\nDumping\r\n1f103cab-9517-455d-ad08-\r\n70eaa05b8f8d\r\nPossible Cobalt Strike Connection\r\n85c752b8-93c2-4450-81eb-52ec6161088e\r\nPossible Cobalt Strike Privilege Escalation Behavior 2c997bac-4fc0-43b4-8279-6f2e7cf723ae\r\nhttps://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html\r\nPage 9 of 10\n\nPossible Fileless Cobalt Strike cf1051ba-5360-4226-8ffb-955fe849db53\r\nWorkbench Alert ID\r\nPossible Credential Access via PSEXESVC Command\r\nExecution\r\n0b870a13-e371-4bad-9221-be7ad98f16d7\r\nPossible Powershell Process Injection via PSEXEC 7fe83eb8-f40f-43be-8edd-f6cbc1399ac0\r\nPossible Remote Ransomware Execution via PsExec 47fbd8f3-9fb5-4595-9582-eb82566ead7a\r\nPSEXEC Execution By Process e011b6b9-bdef-47b7-b823-c29492cab414\r\nRemote Execution of Windows Command Shell via PsExec b21f4b3e-c692-4eaf-bee0-ece272b69ed0\r\nSuspicious Execution of PowerShell Parameters and PSEXEC\r\n26371284-526b-4028-810d-9ac71aad2536\r\nSuspicious Mimikatz Credential Dumping via PsExec 8004d0ac-ea48-40dd-aabf-f96c24906acf\r\nWorkbench Alert ID\r\nPossible Disabling of Antivirus Software 64a633e4-e1e3-443a-8a56-7574c022d23f\r\nSuspicious Deletion of Volume Shadow Copy 5707562c-e4bf-4714-90b8-becd19bce8e5\r\nWorkbench Alert ID\r\nRansom Note Detection (Real-time Scan) 16423703-6226-4564-91f2-3c03f2409843\r\nRansomware Behavior Detection 6afc8c15-a075-4412-98c1-bb2b25d6e05e\r\nRansomware Detection (Real-time Scan) 2c5e7584-b88e-4bed-b80c-dfb7ede8626d\r\nScheduled Task Creation via Command Line 05989746-dc16-4589-8261-6b604cd2e186\r\nSystem-Defined Event Logs Clearing via Wevtutil 639bd61d-8aee-4538-bc37-c630dd63d80f\r\nTrend Vision One customers can use the following hunting query to search for Rhysida within their system:\r\nprocessCmd:\"powershell.exe*\\\\*$\\?.ps1\" OR (objectFilePath:\"?:*\\\\??\\\\psexec.exe\" AND\r\nprocessCmd:\"*cmd.exe*\\\\??\\\\??.bat\")\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html\r\nhttps://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html"
	],
	"report_names": [
		"an-overview-of-the-new-rhysida-ransomware.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434123,
	"ts_updated_at": 1775791324,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4bdb21fb684d1125147ad52206fbbf9ab301f1cd.pdf",
		"text": "https://archive.orkl.eu/4bdb21fb684d1125147ad52206fbbf9ab301f1cd.txt",
		"img": "https://archive.orkl.eu/4bdb21fb684d1125147ad52206fbbf9ab301f1cd.jpg"
	}
}