{
	"id": "491e96ea-2cad-41e5-927d-f76f201fb216",
	"created_at": "2026-04-06T00:11:54.886934Z",
	"updated_at": "2026-04-10T13:11:44.172593Z",
	"deleted_at": null,
	"sha1_hash": "615987a7442238dc5fba145c8b153ad5f0743ee6",
	"title": "Rhysida Ransomware Technical Analysis",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2537281,
	"plain_text": "Rhysida Ransomware Technical Analysis\r\nBy Threat Research TeamThreat Research Team\r\nArchived: 2026-04-05 17:16:40 UTC\r\nRhysida is a new ransomware strain that emerged in the second quarter of 2023. The first mention of the Rhysida\r\nransomware was in May 2023 by MalwareHunterTeam (sample’s timestamp is May 16, 2023). As of Oct 12, the\r\nransomware’s leak site contains a list of over 50 attacked organizations of all types, including government,\r\nhealthcare, and IT.\r\nScreenshot of the Rhysida data leak site as of Oct 16, 2023\r\nVictims of the Rhysida ransomware can contact Avast experts directly at decryptors-at-avast-dot-com for a\r\nfree consultation about how to mitigate damage caused by the attack. \r\nAnalysis of the Rhysida encryptor \r\nThe Rhysida encryptor comes as a 32-bit or 64-bit Windows PE file, compiled by MinGW GNU version 6.3.0 and\r\nlinked by the GNU linker v 2.30. The first public version comes as a debug version, which makes its analysis\r\neasier. \r\nFor cryptographic operations, Rhysida uses the LibTomCrypt library version 1.18.1. For multi-threaded and\r\nsynchronization operations, Rhysida uses the winpthreads library. Chacha20 pseudo-random number generator is\r\nused for generating random numbers, such as AES encryption key, AES initialization vector and random padding\r\nhttps://decoded.avast.io/threatresearch/rhysida-ransomware-technical-analysis/\r\nPage 1 of 5\n\nfor RSA-OAEP encryption. The public RSA key is hard-coded in the binary (ASN1-encoded) and loaded using\r\nthe rsa_import function. Each sample has different embedded RSA key. \r\nThe encryptor executable supports the following command line arguments: \r\n-d Specifies a directory name to encrypt. If omitted, all drives (identified by letters) are encrypted \r\n-sr Enables self-remove after file encryption \r\n-nobg Disables setting desktop background \r\n-S When present, Rhysida will create a scheduled task, executing at OS startup under the System\r\naccount \r\n-md5 When present, Rhysida will calculate MD5 hash of each file before it is encrypted. However, this\r\nfeature is not fully implemented yet – the MD5 is calculated, but it’s not used anywhere later. \r\nWhen executed, the encryptor queries the number of processors in the system. This value serves for: \r\nAllocating random number generators (one per processor) \r\nCreating Encryptor threads (one per processor) \r\nInitialization for multi-threaded encryption\r\nFurthermore, Rhysida creates a File Enumerator thread, which searches all available disk drives by letter.\r\nBinaries prior July 2023 enumerate drives in normal order (from A: to Z:); binaries built after July 1st enumerate\r\ndrives in reverse order (from Z: to A:). \r\nThe File Enumerator thread searches for files to encrypt and puts them into a synchronized list, ready to be\r\npicked by one of the Encryptor threads. Files in system critical folders, and files necessary to run operating\r\nsystems and programs, are excluded from encryption. \r\nList of skipped directories: \r\n/$Recycle.Bin \r\n/Boot \r\n/Documents and Settings \r\n/PerfLogs \r\n/Program Files \r\n/Program Files (x86)\r\n/ProgramData \r\n/Recovery \r\nhttps://decoded.avast.io/threatresearch/rhysida-ransomware-technical-analysis/\r\nPage 2 of 5\n\n/System Volume Information  \r\n/Windows \r\n/$RECYCLE.BIN\r\nList of skipped file types:\r\nAdditionally, the ransom note file, usually named CriticalBreachDetected.pdf , is excluded from the list of\r\nencrypted files. The PDF content of the ransom note file is hard-coded in the binary and is dropped into each\r\nfolder. The following picture shows an example of the ransom note from a September version of the ransomware:\r\nIn addition to dropping the ransom note, if enabled in the configuration, Rhysida generates a JPEG picture, which\r\nis stored into C:/Users/Public/bg.jpg . Earlier version of the ransomware generated the image with unwanted\r\nartifacts, which was fixed in later builds of Rhysida. The following picture shows an example of such JPEG\r\npictures: \r\nThe picture is set as the desktop background on the infected device. For that purpose, a set of calls to an external\r\nprocess via system (a C equivalent of CreateProcess) is used: \r\nhttps://decoded.avast.io/threatresearch/rhysida-ransomware-technical-analysis/\r\nPage 3 of 5\n\nRhysida may or may not (depending on the configuration and binary version) execute additional actions,\r\nincluding: \r\n \r\nDelete shadow copies using: \r\n  cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet\r\nDelete the event logs with this command: \r\n  cmd.exe /c for /F \"tokens=*\" %1 in ('wevtutil.exe el') DO wevtutil.exe cl \"%1\"\r\nDelete itself via Powershell command \r\n  cmd.exe /c start powershell.exe -WindowStyle Hidden -Command Sleep -Milliseconds 500; Remove-Item -Force -Path \"%BINARY_NAME%” -ErrorAction SilentlyContinue;\r\n(Re-)create scheduled task on Windows startup: \r\n  cmd.exe /c start powershell.exe -WindowStyle Hidden -Command “Sleep -Milliseconds 1000;\r\nschtasks /end /tn Rhsd; schtasks /delete /tn Rhsd /f; schtasks /create /sc ONSTART /tn Rhsd /tr\r\n\\”\r\nRemove scheduled task using: \r\n  cmd.exe /c start powershell.exe -WindowStyle Hidden -Command \"Sleep -Milliseconds 1000;\r\nschtasks /delete /tn Rhsd /f;\"\r\nHow Rhysida encrypts files \r\nTo achieve the highest possible encryption speed, Rhysida’s encryption is performed by multiple Encryptor\r\nthreads. Files bigger than 1 MB (1048576 bytes) are divided to 2-4 blocks and only 1 MB of data is encrypted\r\nfrom each block. The following table shows an overview of the number of blocks, size of one block and length of\r\nthe encrypted part: \r\nTable 1: File sizes, block counts, block lengths and encrypted lengths.\r\nhttps://decoded.avast.io/threatresearch/rhysida-ransomware-technical-analysis/\r\nPage 4 of 5\n\nMultiple steps are performed to encrypt a file: \r\nThe file is renamed to have the “.rhysida” extension. \r\nThe file size is obtained by the sequence below. Note that earlier versions of the ransomware contain a bug,\r\nwhich causes the upper 32 bits of the file size to be ignored. In later versions of Rhysida, this bug is fixed. \r\nBased on the file size, Rhysida calculates counts and length shown in Table 1. \r\n32-byte file encryption key and 16-byte initialization vector for AES-256 stream cipher is generated using\r\nthe random number generator associated with the Encryptor thread.  \r\nFiles are encrypted using AES-256 in CTR mode. \r\nBoth file encryption key and the IV are encrypted by RSA-4096 with OAEP padding and stored to the file\r\ntail structure. \r\nThis file tail is appended to the end of the encrypted file: \r\nConclusion \r\nRhysida is a relatively new ransomware, but already has a long list of attacked organizations. As of October 2023,\r\nit is still in an active development.  \r\nVictims of the Rhysida ransomware may contact us at decryptors-at-avast-dot-com for a consultation about\r\nhow to mitigate damage caused by the attack. \r\nA group of elite researchers who like to stay under the radar.\r\nSource: https://decoded.avast.io/threatresearch/rhysida-ransomware-technical-analysis/\r\nhttps://decoded.avast.io/threatresearch/rhysida-ransomware-technical-analysis/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://decoded.avast.io/threatresearch/rhysida-ransomware-technical-analysis/"
	],
	"report_names": [
		"rhysida-ransomware-technical-analysis"
	],
	"threat_actors": [],
	"ts_created_at": 1775434314,
	"ts_updated_at": 1775826704,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/615987a7442238dc5fba145c8b153ad5f0743ee6.pdf",
		"text": "https://archive.orkl.eu/615987a7442238dc5fba145c8b153ad5f0743ee6.txt",
		"img": "https://archive.orkl.eu/615987a7442238dc5fba145c8b153ad5f0743ee6.jpg"
	}
}