{
	"id": "1d5b7340-d211-4022-912a-795fdafe6db7",
	"created_at": "2026-04-06T00:13:30.491365Z",
	"updated_at": "2026-04-10T13:13:07.041463Z",
	"deleted_at": null,
	"sha1_hash": "98770ad3a03b8e40918afe8274b9e026f0597880",
	"title": "Rhysida Ransomware and the Detection Opportunities",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2588557,
	"plain_text": "Rhysida Ransomware and the Detection Opportunities\r\nBy SIMKRA\r\nPublished: 2024-11-18 · Archived: 2026-04-05 16:20:43 UTC\r\nRobust Detection and Analytical Scoring countering Cy-X threat actor like\r\nRyhsida\r\nWhile it was a hypothesis just a few months ago, it has now been confirmed that the Cy-X threat actors of Rhysida\r\nare affiliates of the former ransomware group Vice Society.\r\nOur research team assessed the exact extent of this relationship and could actually follow one of the following\r\nhypotheses:\r\nDue to increased scrutiny from law enforcement, the threat group behind Vice Society fully disbanded\r\ntheir operation and migrated their efforts towards their newly created Rhysida operation (rebrand). In\r\nthis case, this specific new encryption payload could have been developed directly by them or by a\r\ncontracted developer exclusively for them (more likely).\r\nIn continuation with their regular shifts of payloads, the threat actors behind Vice Society affiliated\r\nthemselves to a new private third-party RaaS called Rhysida, that advertises the victims through its own\r\nleak site and no longer on the Vice Society leak site (new RaaS affiliation). In this case, the former\r\nVice Society group might not be the only ones deploying Rhysida in the future.\r\nRhysida has also focused on big game hunting the last year, attacking targets such as the British Library, Ministry\r\nof Finance of Kuwait and various hospitals in the US.\r\nJust a few days ago, the news broke that the Royal family’s sensitive data had been stolen by Rhysida in one of\r\nthese attacks. Now the criminals are threatening to publish them.\r\nIn the following article, I have summarized one of the main indicators that I also presented at the SANS European\r\nDFIR Summit this summer for Rhysida and how to detect and hunt for the TTPs. The goal is to detect the top\r\nindicators in time or to harden the systems accordingly, as well as to prevent the spread of Ryhsida during an\r\nattack with the help of developing VIP detections in the event of a running incident. To find artifacts accordingly\r\nafter the incident has happened helps to put the most important systems into operation again as quickly as\r\npossible.\r\nIn order to fully understand the TTPs and thus also the intention, the capabilities and an advantage in detection, I\r\ntake therefore the findings from various CTI reports and my own Orange Cyberdefense analysis and those of my\r\ncolleagues. These results give us the main MITRE ATT\u0026CK techniques that Rhysida uses, including the tools also\r\nhttps://detect.fyi/rhysida-ransomware-and-the-detection-opportunities-3599e9a02bb2\r\nPage 1 of 14\n\nof affiliates, various sources of artifact and the attacker’s infrastructure. Here is a picture from Virus Total with the\r\nInfrastructure for Rhysida, published a few days ago:\r\nPress enter or click to view image in full size\r\nThe graph shows us not only the execution of the ransomware but the contacted domains, IPs, URLs and more\r\nfiles that could be also interesting for the detection engineering and hunting. We see for example fury.exe as\r\nartifact and older version of the ransomware. In the article Scratching the Surface of Rhysida Ransomware for\r\nexample you will find the executable as SHA1 69b3d913a3967153d1e91ba1a31ebed839b297ed for\r\nfury_ctm1042.bin and a great analysis of the executable reverse engineered. Such artifacts helps us to identify\r\nnot only the ransomware group, but also to develop robust detection like we will see in the following analysis.\r\nTherefore, first we take a look at the MITRE ATT\u0026CK matrix with multilayering in Tidal Cyber Enterprise, the\r\nconstellations of ransomware groups such as Rhysida, Vice Society and the associated tools that they use. The\r\nrelationship of the ransomware groups and affiliates is described in the article from Sophos Same threats, different\r\nransomware. In this article Sophos researcher cluster Vice Society with Rhysida. In addition to the cluster, other\r\nCTI reports such as those from SOCRadar, Trendmicro, Microsoft Threat Intelligence, Secplicity, Talos, Fortinet,\r\nSentinelOne, Checkpoint, CISA etc. and my own findings will be helpful to write robust detection.\r\nAll these information results in the following MITRE mapped TTP matrix including the capabilities means the\r\ntools from Rhysida:\r\nPress enter or click to view image in full size\r\nhttps://detect.fyi/rhysida-ransomware-and-the-detection-opportunities-3599e9a02bb2\r\nPage 2 of 14\n\nThe analysis revealed the top tools and MITRE ATT\u0026CK technique, which are recommended to be analyzed. Of\r\ncourse, there are more tools the threat actor has as capabilities, but it’s just a starting point for robust detection.\r\nFollowing tools are recommended to be prevented or detected specifically during an attack of the threat actor\r\nRhysida:\r\n· PsExec and other Sysinternals tools like in the CISA alert AA23–319A described\r\n· The script PortStarter. PortStarter is a backdoor written in Go. According to Microsoft, this malware is capable\r\nof modifying firewall settings and opening ports to connect to pre-configured C2 servers\r\n· The remote tool AnyDesk, very popular in the ransomware “scene” to get remotely access\r\n· SystemBC is a post-compromise commodity RAT and proxy tool, used by numerous ransomware groups\r\n· Secretdump for credential dumping\r\nPowerShell \u0026 CMD executing the tools\r\nT1059.001 PowerShell is executing secretdump or ntdsutil.exe observed for Vice Society. Command \u0026 Control\r\ncan be detected as an artifact via sock.ps like describe for DEV-0832 or with the artifact Sock5.sh as mentioned in\r\nthe CISA alert AA23–319A.\r\nT1059.003 Windows Command Shell can also be used primarily in VIP detection during the encryption as an\r\nopportunity to prevent further spread in the event of an attack. Normally, you should find ways to NOT have the\r\nsituation of such an event, but be prepared!\r\nTherefore, here is a list of commands that Rhysida ransomware would execute via cmd.exe and reg.exe:\r\ncmd.exe /c reg delete \"HKCU\\Conttol Panel\\Desktop\" /v WallpaperStyle /f\r\nreg.exe delete \"HKCU\\Conttol Panel\\Desktop\" /v WallpaperStyle /f\r\ncmd.exe /c reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\ActiveDesktop\" /v NoChang\r\nhttps://detect.fyi/rhysida-ransomware-and-the-detection-opportunities-3599e9a02bb2\r\nPage 3 of 14\n\nreg.exe add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\ActiveDesktop\" /v NoChangingWall\r\ncmd.exe /c reg add \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\ActiveDesktop\" /v NoChang\r\nreg.exe add \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\ActiveDesktop\" /v NoChangingWall\r\ncmd.exe /c reg add \"HKCU\\Control Panel\\Desktop\" /v Wallpaper /t REG_SZ /d \"C:\\Users\\Public\\bg.jpg\" /f\r\nreg.exe add \"HKCU\\Control Panel\\Desktop\" /v Wallpaper /t REG_SZ /d \"C:\\Users\\Public\\bg.jpg\" /f\r\nreg.exe add \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\" /v Wallpaper /t REG_SZ /\r\ncmd.exe /c reg add \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\" /v WallpaperStyle\r\nreg.exe add \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\" /v WallpaperStyle /t REG\r\ncmd.exe /c reg add \"HKCU\\Control Panel\\Desktop\" /v WallpaperStyle /t REG_SZ /d 2 /f\r\nreg.exe add \"HKCU\\Control Panel\\Desktop\" /v WallpaperStyle /t REG_SZ /d 2 /f\r\ncmd.exe /c reg add \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\" /v Wallpaper /t R\r\ncmd.exe /c cmd.exe /c reg add \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\" /v Wal\r\nPsExec\r\nExecuting PsExec with the specific parameters -d -u and -s cmd c/ COPY and copying the files to the\r\nC:\\Windows\\Temp folder is another specific indicator of the ransomware group. This also includes the\r\nT1569.002 Services Execution including PsExec with the specific parameters for Rhysida mentioned above. The\r\nbehavior itself can be tested, as I described at the SANS’s European DFIR Summit with the Atomic Red Team\r\nTest#2 T1219 as shown in the picture below:\r\nPress enter or click to view image in full size\r\nThreat Hunting Any Desk with David Bianco’s PEAK Threat Hunting Framework\r\nhttps://detect.fyi/rhysida-ransomware-and-the-detection-opportunities-3599e9a02bb2\r\nPage 4 of 14\n\nTo systematically analyze and hunt for AnyDesk or RMM tools you can take for the research the outstanding\r\nPEAK approach of David Bianco.\r\nA very short high level description for PEAK is: with ABLE you analyze systematically actor, behavior, location\r\nand evidence. In the first phase of PEAK (Prepare, Execute, Act and Knowledge) you set the stage for your\r\nhunt like shown in the picture above, after that you gather and escalate your critical findings to preserve and in the\r\nlast phase of your hunt you document your finding. I think I will write another article about the PEAK Threat\r\nHunting Framewok in the future with another example and dive a little bit deeper into it. Let’s do it now with a\r\nshort summary for AnyDesk with the following pictures:\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nhttps://detect.fyi/rhysida-ransomware-and-the-detection-opportunities-3599e9a02bb2\r\nPage 5 of 14\n\nPress enter or click to view image in full size\r\nThis results into knowledge (picture originally from David Bianco for Hypothesis-Driven Hunting Process:\r\nhttps://detect.fyi/rhysida-ransomware-and-the-detection-opportunities-3599e9a02bb2\r\nPage 6 of 14\n\nHunting Rhysida AnyDesk\r\nFor the installation process independent of the anydesk.exe, which would no longer be detected by a name\r\nchange, it is recommended to use a robust detection such for named pipe like we’ve seen in the pictures before for\r\n\\adprinterpip, which could be detected during the installation of AnyRun via Sysmon, for example. You can take\r\nthe detection and score it with the Summiting of the Pyramid approach, a thread informed defense approach that is\r\ndeveloped by the MITRE Center for Threat Informed Defense to score detection systematically.\r\nPress enter or click to view image in full size\r\nhttps://detect.fyi/rhysida-ransomware-and-the-detection-opportunities-3599e9a02bb2\r\nPage 7 of 14\n\nPress enter or click to view image in full size\r\nI have described a detailed summary of the brilliant approach in my article Summiting the Pyramid — A new\r\nDimension of Cyber Analytics Engineering. I highly recommend to read the article about it like the original\r\ndocumentation you can find here.\r\nOpen Source Community Edition Detection Engineering Tools\r\nimede.ai\r\nFurther Sigma Rules for AnyDesk regarding installation are available from the legendary The DFIR Report team\r\nin the imede.ai community edition. Imede.ai is a relatively new detection engineering platform with built-in Sigma\r\nRules and attack simulation for which you need the enterprise version I unfortunately don’t have right now. In the\r\ncommunity edition Sigma Rules are available for the entire kill chain as well as specifically for Sysmon, Zeek and\r\nAzure. I’m excited to see how the platform will evolve. At the moment it is still relatively little input, but this will\r\nhttps://detect.fyi/rhysida-ransomware-and-the-detection-opportunities-3599e9a02bb2\r\nPage 8 of 14\n\ncertainly improve over time with increasing awareness that such a detection engineering platform exists and offers\r\nanother opportunity to search for specific hunting queries.\r\nuncoder.ai\r\nIn uncoder.ai for example you can get even more Sigma Rules for AnyDesk like the Sigma Rule from frack113\r\n“Anydesk Temporary Artefact”. In this Sigma Rule AnyDesk would be detected for the the user.conf and\r\nsystem.conf in .temp. The Sigma Rules are also availabe on github.\r\nExample Query KQL for Microsoft Defender for Endpoint:\r\nGet SIMKRA’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nDeviceFileEvents | where ((FolderPath contains @’\\AppData\\Roaming\\AnyDesk\\user.conf’ or FolderPath\r\ncontains @’\\AppData\\Roaming\\AnyDesk\\system.conf’) and FolderPath endswith @’.temp’)\r\nPortStarter Rhysida C2 Script\r\nPortStarter, a tool that uses Ryhsida to establish a C2 backdoor communication, the detection opportunity is the\r\nmain.dll with the hash b25b87cfcedc69e27570afa1f4b1ca85aab07fd416c5d0228f1fe32886e0a9a6in path\r\nC:\\Users\\Public\\main.dll.\r\nAnalysis Sophos Schedule Task Living off the Land Rundll32 for PortStarter\r\nTo execute the PortStarter backdoor, the attackers were observed creating a scheduled task called ‘System’ for\r\npersistence to run C:\\Users\\Public\\main.dll:\r\nC:\\Windows\\system32\\schtasks.exe /create /sc ONSTART /tn System /tr “rundll32 C:\\Users\\Public\\main.dl\r\nSimilarly, the threat actors were also observed creating a scheduled task called ‘SystemCheck for persistence to\r\nrun a PortStarter DLL (C:\\ProgramData\\schk.dll).\r\nC:\\Windows\\Tasks\\windows32u.dll\r\nC:\\Windows\\Tasks\\windows32u.ps1\r\nOver the course of several cases PortStarter backdoor was observed in different file paths reaching out to the\r\nfollowing IPs:\r\nC:\\Windows\\System32\\config\\main.dll\r\n156.96.62[.]58\r\nhttps://detect.fyi/rhysida-ransomware-and-the-detection-opportunities-3599e9a02bb2\r\nPage 9 of 14\n\n146.70.104[.]249\r\n51.77.102[.]106\r\nc:\\users\\public\\main.dll\r\n108.62.141[.]161\r\nC:\\ProgramData\\schk.dll\r\n157.154.194[.]6\r\nAnd especially for the IP address 156.96.62.58 we can also see that this IP address was abused by the threat actor\r\nLazarus, too.\r\nPress enter or click to view image in full size\r\nCredential Access\r\nRhysida’s credential access tactic is similar to Vice Society’s approach via NTDS.dit with the MITRE ATT\u0026CK\r\ntechnique T1003.003.\r\nhttps://detect.fyi/rhysida-ransomware-and-the-detection-opportunities-3599e9a02bb2\r\nPage 10 of 14\n\nHere you can hunt on the command powershell ‘ntdsutil.exe’ ‘ac i ntds’ ‘ifm’ ‘create full c:\\temp_l0gs’ Q q’ as\r\nwell as on the tool secretdump. If you find secretdump, it may also be an indicator that Rhysida has successfully\r\nused the exploit Zerologon as mentioned in the note of exploit-db as a 3rd point and described in various CTI\r\nreports such as CISA alert AA23–319A.\r\nSpecial reference should also be made here to the artifact temp_l0gs. Both Vice Society and Rhysida generate this\r\nfile during credential dumping.\r\nAs always, there are different sources to create your own Sigma Rules or to use hunting packages from HUNTER\r\nor impede.ai as well as Tidal Cyber and SOC Prime. All platforms offer a community edition. Uncoder.ai has the\r\nadvantage of being able to immediately optimize specific sigma rules for the respective attacker himself while\r\nTidal Cyber gives you a great overview which Sigma Rule to use for a specific MITRE ATT\u0026CK technique.\r\nEspecially for Rhysida, Cyborg Security HUNTER offers the following hunting packages in the community\r\nedition for free\r\nWevtutil Cleared Log\r\nRemote Desktop Protocol (RDP) port manipulation\r\nAutorun or ASEP Registry Key Modification\r\nShadow Copies Deletion Using Operating System Utilities\r\nDeletion of Windows Event Logs\r\nRegarding wevtutil you can test it in your own environment in several ways to understand your telemetry as\r\nshown in the following picture:\r\nPress enter or click to view image in full size\r\nhttps://detect.fyi/rhysida-ransomware-and-the-detection-opportunities-3599e9a02bb2\r\nPage 11 of 14\n\nPress enter or click to view image in full size\r\nIt is the same way Rhysida would delete your events.\r\nAnother detection opportunity is that Ryhsida drops as ransom not the CriticalBreachDetected.pdf. And it\r\nremoves the subkey under HKCU:\\Software\\Microsoft\\Terminal Server Client like it removes UsernameHint.\r\nRhysida actors reportedly engage in “double extortion” [T1657] — demanding a ransom payment to\r\ndecrypt victim data and threatening to publish the sensitive exfiltrated data unless the ransom is paid.\r\n[5],[7] Rhysida actors direct victims to send ransom payments in Bitcoin to cryptocurrency wallet\r\naddresses provided by the threat actors. As shown in Figure 1, Rhysida ransomware drops a ransom\r\nnote named “CriticalBreachDetected” as a PDF file — the note provides each company with a unique\r\ncode and instructions to contact the group via a Tor-based portal.\r\nDuring the encryption Rhysida changes the registry to disable Windows error reporting. This is another specific\r\nIOC you can take as a VIP detection.\r\nhttps://detect.fyi/rhysida-ransomware-and-the-detection-opportunities-3599e9a02bb2\r\nPage 12 of 14\n\nDuring your investigation following IOCs are recommended by CISA:\r\nSock5.sh 48f559e00c472d9ffe3965ab92c6d298f8fb3a3f0d6d203cd2069bfca4bf3a57\r\nPsExec64.exe edfae1a69522f87b12c6dac3225d930e4848832e3c551ee1e7d31736bf4525ef\r\nPsExec.exe 078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b\r\nPsGetsid64.exe 201d8e77ccc2575d910d47042a986480b1da28cf0033e7ee726ad9d45ccf4daa\r\nPsGetsid.exe a48ac157609888471bf8578fb8b2aef6b0068f7e0742fccf2e0e288b0b2cfdfb\r\nPsInfo64.exe de73b73eeb156f877de61f4a6975d06759292ed69f31aaf06c9811f3311e03e7\r\nPsInfo.exe 951b1b5fd5cb13cde159cebc7c60465587e2061363d1d8847ab78b6c4fba7501\r\nPsLoggedon64.exe fdadb6e15c52c41a31e3c22659dd490d5b616e017d1b1aa6070008ce09ed27ea\r\nPsLoggedon.exe d689cb1dbd2e4c06cd15e51a6871c406c595790ddcdcd7dc8d0401c7183720e\r\nPsService64.exe 554f523914cdbaed8b17527170502199c185bd69a41c81102c50dbb0e5e5a78d\r\nPsService.exe d3a816fe5d545a80e4639b34b90d92d1039eb71ef59e6e81b3c0e043a45b751c\r\nEula.txt 8329bcbadc7f81539a4969ca13f0be5b8eb7652b912324a1926fc9bfb6ec005a\r\npsfile64.exe be922312978a53c92a49fefd2c9f9cc098767b36f0e4d2e829d24725df65bc21\r\npsfile.exe 4243dc8b991f5f8b3c0f233ca2110a1e03a1d716c3f51e88faf1d59b8242d329\r\npskill64.exe 7ba47558c99e18c2c6449be804b5e765c48d3a70ceaa04c1e0fae67ff1d7178d\r\npskill.exe 5ef168f83b55d2cbd2426afc5e6fa8161270fa6a2a312831332dc472c95dfa42\r\npslist64.exe d3247f03dcd7b9335344ebba76a0b92370f32f1cb0e480c734da52db2bd8df60\r\npslist.exe ed05f5d462767b3986583188000143f0eb24f7d89605523a28950e72e6b9039a\r\npsloglist64.exe 5e55b4caf47a248a10abd009617684e969dbe5c448d087ee8178262aaab68636\r\npsloglist.exe dcdb9bd39b6014434190a9949dedf633726fdb470e95cc47cdaa47c1964b969f\r\npspasswd64.exe 8d950068f46a04e77ad6637c680cccf5d703a1828fbd6bdca513268af4f2170f\r\npspasswd.exe 6ed5d50cf9d07db73eaa92c5405f6b1bf670028c602c605dfa7d4fcb80ef0801\r\npsping64.exe d1f718d219930e57794bdadf9dda61406294b0759038cef282f7544b44b92285\r\npsping.exe 355b4a82313074999bd8fa1332b1ed00034e63bd2a0d0367e2622f35d75cf140\r\npsshutdown64.exe 4226738489c2a67852d51dbf96574f33e44e509bc265b950d495da79bb457400\r\npsshutdown.exe 13fd3ad690c73cf0ad26c6716d4e9d1581b47c22fb7518b1d3bf9cfb8f9e9123\r\npssuspend64.exe 4bf8fbb7db583e1aacbf36c5f740d012c8321f221066cc68107031bd8b6bc1ee\r\npssuspend.exe 95a922e178075fb771066db4ab1bd70c7016f794709d514ab1c7f11500f016cd\r\nPSTools.zip a9ca77dfe03ce15004157727bb43ba66f00ceb215362c9b3d199f000edaa8d61\r\nPstools.chm 2813b6c07d17d25670163e0f66453b42d2f157bf2e42007806ebc6bb9d114acc\r\npsversion.txt 8e43d1ddbd5c129055528a93f1e3fab0ecdf73a8a7ba9713dc4c3e216d7e5db4\r\npsexesvc.exe This artifact is created when a user establishes a connection using psexec. It is removed after the\r\nconnection is terminated, which is why there is no hash available for this executable.\r\nTo detect the deployment you can take following IOCs\r\nhttps://detect.fyi/rhysida-ransomware-and-the-detection-opportunities-3599e9a02bb2\r\nPage 13 of 14\n\npsexec.exe 078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b\r\nA file used to execute a process on a remote or local host.\r\nS_0.bat 1c4978cd5d750a2985da9b58db137fc74d28422f1e087fd77642faa7efe7b597\r\nA batch script likely used to place 1.ps1 on victim systems for ransomware staging purposes [T1059.003].\r\n1.ps1 4e34b9442f825a16d7f6557193426ae7a18899ed46d3b896f6e4357367276183\r\nIdentifies an extension block list of files to encrypt and not encrypt.\r\nS_1.bat\r\n97766464d0f2f91b82b557ac656ab82e15cae7896b1d8c98632ca53c15cf06c4\r\nA batch script that copies conhost.exe (the encryption binary) on an imported list of host names within the\r\nC:\\Windows\\Temp directory of each system.\r\nS_2.bat\r\n918784e25bd24192ce4e999538be96898558660659e3c624a5f27857784cd7e1\r\nExecutes conhost.exe on compromised victim systems, which encrypts and appends the extension of .Rhysida\r\nacross the environment.\r\nThe file extension for the encryption is .Rhysida and additionally, third-party researcher identified evidence of\r\nRhysida actors developing custom tools with program names set Rhysida-0.1.\r\nConclusion\r\nRhysida was first an underestimated ransomware group. Over the last months we can see that the threat actor is\r\nnot only attacking critical infrastructure like the healthcare system but is developing capabilities similar to other\r\nbig hunting threat actors.\r\nThe mere fact that Rhysida is targeting healthcare and is not afraid to blackmail the British royal family should\r\nmake it clear that neither Vice Society nor Ryhsida affiliates will stop enriching themselves from other people’s\r\nmisery. For this reason, companies as well as healthcare and government agencies should take measures to detect\r\nan attack.\r\nSource: https://detect.fyi/rhysida-ransomware-and-the-detection-opportunities-3599e9a02bb2\r\nhttps://detect.fyi/rhysida-ransomware-and-the-detection-opportunities-3599e9a02bb2\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://detect.fyi/rhysida-ransomware-and-the-detection-opportunities-3599e9a02bb2"
	],
	"report_names": [
		"rhysida-ransomware-and-the-detection-opportunities-3599e9a02bb2"
	],
	"threat_actors": [
		{
			"id": "a6814184-2133-4520-b7b3-63e6b7be2f64",
			"created_at": "2025-08-07T02:03:25.019385Z",
			"updated_at": "2026-04-10T02:00:03.859468Z",
			"deleted_at": null,
			"main_name": "GOLD VICTOR",
			"aliases": [
				"DEV-0832 ",
				"STAC5279 ",
				"Vanilla Tempest ",
				"Vice Society",
				"Vice Spider "
			],
			"source_name": "Secureworks:GOLD VICTOR",
			"tools": [
				"Advanced IP Scanner",
				"Advanced Port Scanner",
				"HelloKitty ransomware",
				"INC ransomware",
				"MEGAsync",
				"Neshta",
				"PAExec",
				"PolyVice ransomware",
				"PortStarter",
				"PsExec",
				"QuantumLocker ransomware",
				"Rhysida ransomware",
				"Supper",
				"SystemBC",
				"Zeppelin ransomware"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "84aa9dbe-e992-4dce-9d80-af3b2de058c0",
			"created_at": "2024-02-02T02:00:04.041676Z",
			"updated_at": "2026-04-10T02:00:03.537352Z",
			"deleted_at": null,
			"main_name": "Vanilla Tempest",
			"aliases": [
				"DEV-0832",
				"Vice Society"
			],
			"source_name": "MISPGALAXY:Vanilla Tempest",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434410,
	"ts_updated_at": 1775826787,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/98770ad3a03b8e40918afe8274b9e026f0597880.pdf",
		"text": "https://archive.orkl.eu/98770ad3a03b8e40918afe8274b9e026f0597880.txt",
		"img": "https://archive.orkl.eu/98770ad3a03b8e40918afe8274b9e026f0597880.jpg"
	}
}