{
	"id": "951226c4-c24e-462c-a2a3-273eaebe7179",
	"created_at": "2026-04-06T00:11:06.130711Z",
	"updated_at": "2026-04-10T13:12:33.335784Z",
	"deleted_at": null,
	"sha1_hash": "a18f773402de272129ab1de8d0bf7e095e374b30",
	"title": "Rhysida Ransomware: History, TTPs and Adversary Emulation Plans",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 769020,
	"plain_text": "Rhysida Ransomware: History, TTPs and Adversary Emulation\r\nPlans\r\nArchived: 2026-04-05 16:41:08 UTC\r\nRhysida is a new player in the Ransomware space, first appearing in May 2023, and has been targeting industries\r\nall across the globe. In recent months, Rhysida has run campaigns compromising and extorting organizations from\r\nthe government, education, healthcare, IT, and manufacturing sectors. Rhysida emerged in the Ransomware Space\r\nwith a high-profile attack on the Chilean army. The group currently has more than 50 victims listed on its leak site.\r\nRhysida Ransomware History\r\nRhysida Ransomware is an independent group that was first observed on May 23. The group presents itself as a\r\ncybersecurity team favouring its victims by highlighting the security issues and the potential ramifications. The\r\nTTPs used by Rhysida have significant similarities with another ransomware group, Vice Society. Vice Society\r\nhas been active since 2021 and follows an opportunistic attack methodology. The group exploits vulnerable web-facing applications or uses valid accounts to gain access to organisations. Vice Society’s last attacks were seen\r\nbetween July and October 2022.\r\nDuring the emergence of Rhysida, many similarities in TTPs were noted between Rhysida and Vice Society\r\ngroups—usage of the same folder name, Utilisation of SystemBC, malware for sale, and the exact name of the\r\nregistry run key used for persistence—all point to the rebranding of Vice Society to Rhysida Group. Vice\r\nSociety’s activities have significantly reduced after the emergence of Rhysida, and they have only published two\r\nvictims on their leak site since. The two groups have also targeted similar industries, i.e. Healthcare and\r\nEducation, revealing ties among Rhysida and Vice Society members.\r\nRhysida Ransomware Behavior\r\nDuring Encryption, Rhysida uses a 4096-bit RSA key with the ChaCha20 algorithm. It uses an exclusion list to\r\navoid encrypting certain files.\r\n1bat, bin, cab, cmd, com, cur, diagcab, diagcfg, diagpkg, drv, dll, exe, hlp, hta, ico,\r\n2ini, iso, lnk, msi, ocx, ps1, psm1, scr, sys, Thumbs-db, url\r\nAfter encryption, Rhysida appends the .rhysida extension to the names of the encrypted files. It changes the\r\nwallpaper and drops a Ransom note as a PDF document.\r\nhttps://fourcore.io/blogs/rhysida-ransomware-history-ttp-adversary-emulation\r\nPage 1 of 9\n\nRhysida Ransom Note as a PDF document\r\nRhysida Ransomware TTPs\r\nThe Rhysida Ransomware operators compromise their victims opportunistically using recent exploits or utilising\r\nValid Credentials bought on the dark web marketplace by Initial Access Brokers. During the encryption phase of\r\ntheir chain, they utilise either their own Rhysida payload or other ransomware payloads available in the RaaS\r\necosystem, such as QuantumLocker, BlackCat, and Zepplin, among others. There have been a few cases where the\r\ngroup did not encrypt the victim’s files but performed extortion using only exfiltrated stolen data.\r\nhttps://fourcore.io/blogs/rhysida-ransomware-history-ttp-adversary-emulation\r\nPage 2 of 9\n\nRhysida’s Infection Chain\r\nInitial Access\r\nRhysida Operators perform initial access using multiple methods. They opportunistically target vulnerable web\r\napplications or acquire Valid RDP accounts or VPN Credentials by Initial Access Brokers. They have also been\r\nobserved conducting successful Phishing attacks\r\nTechnique Description\r\nT1078: Valid Accounts\r\nRhysida operators utilise valid account credentials or VPN credentials to gain\r\naccess to organisations\r\nhttps://fourcore.io/blogs/rhysida-ransomware-history-ttp-adversary-emulation\r\nPage 3 of 9\n\nTechnique Description\r\nT1190: Exploit Public\r\nFacing Applications\r\nRhysida operators opportunistically target vulnerable Web Facing\r\napplications and exploit them to gain access to organisations\r\nT1566: Phishing\r\nRhysida operators are known to conduct phishing attacks with malicious\r\nExcel payloads\r\nExecution\r\nAfter the initial access, Rhysida Operators have been seen utilising bat scripts, PS1 files and scheduled tasks to\r\nexecute their payloads. The group deploys commodity tools and malware, such as CobaltStrike beacons and\r\nSystemBC, on the compromised systems.\r\nTechnique Description\r\nT1059.001: Command and Scripting\r\nInterpreter: Powershell\r\nRhysida operators drop a variety of PowerShell scripts and\r\nexecute commands using Powershell\r\nT1059.003: Command and Scripting\r\nInterpreter: Windows Command Shell\r\nRhysida operators use batch scripting and execute\r\ncommands using the Windows command prompt\r\nPrivilege Escalation\r\nRhysidia operators escalate their privileges by utilising process injection to become NT Authority/System or\r\nbecome Domain Admin by utilising exploits such as ZeroLogon\r\nTechnique Description\r\nT1055.002: Process Injection:\r\nPortable Executable Injection\r\nRhysida operators inject 64-bit PE ransomware into running processes\r\nto escalate its privileges.\r\nT1068: Exploitation for Privilege\r\nEscalation\r\nRhysida operators exploit vulnerable machines in the environment, such\r\nas Windows Servers, to escalate their privileges to Domain Admin\r\nDefence Evasion\r\nDuring their infection chain, Rhysida Operators continuously remove any indicators of compromise. They\r\nregularly clear Windows Event logs, Delete files, and create Hidden Artifacts.\r\nTechnique Description\r\nT1070.001: Indicator Removal:\r\nClear Windows Event Logs\r\nRhysida operators use wevtutil.exe to clear system, application, and\r\nsecurity event logs to avoid detection\r\nhttps://fourcore.io/blogs/rhysida-ransomware-history-ttp-adversary-emulation\r\nPage 4 of 9\n\nTechnique Description\r\nT1070.004: Indicator Removal:\r\nFile Deletion\r\nRhysida operators utilise PowerShell and scheduled tasks to delete any\r\nartifacts created on the system to prevent forensic scrutiny\r\nT1564.003: Hide Artifacts: Hidden\r\nWindow\r\nRhysida operators execute commands in hidden PowerShell windows\r\nCredential Dumping\r\nOnce they have the right privileges, Rhysida Operators try to find credentials to spread across the organisation.\r\nThey dump lsass memory, NTDS database and scour for credentials in the registry.\r\nTechnique Description\r\nT1003.003: OS Credential\r\nDumping: NTDS\r\nRhysida operators dump credentials using tools like secretsdump to extract\r\ncredentials and dump NTDS database\r\nT1003.001: OS Credential\r\nDumping: LSASS Memory\r\nRhysida operators dump lsass.exe using a variety of methods, such as\r\nusing procdump or even dumping the whole RAM to extract NTLM\r\nhashes\r\nT1003.004: OS Credential\r\nDumping: LSA Secrets\r\nRhysida operators try to extract LSA secrets by dumping SAM and\r\nSECURITY Key from the registry\r\nDiscovery\r\nDuring the course of the infection, Rhysidia operators discover details that may help accomplish further goals,\r\nsuch as lateral movement. They discover remote systems, current user permissions, and any trusts they can utilise\r\nto further their objectives.\r\nTechnique Description\r\nT1016: System Network\r\nConfiguration Discovery\r\nRhysida operators use the ipconfig command to enumerate system\r\nnetwork configurations\r\nT1018: Remote System Discovery\r\nRhysida operators use net group domain computers /domain to\r\nenumerate servers on the victim domain\r\nT1033: System Owner/User\r\nDiscovery\r\nRhysida operators utilise whoami and various net commands to\r\nidentify logged in users and their associated privileges and groups\r\nT1069.001: Permission Groups\r\nDiscovery: Local Groups\r\nRhysida operators used the command net localgroup administrators to\r\nidentify accounts with local administrator rights\r\nhttps://fourcore.io/blogs/rhysida-ransomware-history-ttp-adversary-emulation\r\nPage 5 of 9\n\nTechnique Description\r\nT1069.002: Permission Groups\r\nDiscovery: Domain Groups\r\nRhysida operators used the command net group “domain admins”\r\n/domain to identify domain administrators\r\nT1087.002: Account Discovery:\r\nDomain Account\r\nRhysida operators used the command net user [username] /domain to\r\nidentify account information\r\nT1482: Domain Trust Discovery\r\nRhysida operators used the Windows utility nltest to enumerate\r\ndomain trusts.\r\nLateral Movement\r\nRhysida Operators spread through the organisation by utilising RDP and SSH connections. They also utilise tools\r\nsuch as PsExec to execute commands and gain a foothold into other systems.\r\nTechnique Description\r\nT1021.001: Remote Services: Remote\r\nDesktop Protocol\r\nRhysida operators utilise compromised user credentials with RDP\r\nfor lateral movement.\r\nT1021.004: Remote Services: Remote\r\nDesktop Protocol\r\nRhysida operators utilise compromised user credentials with SSH\r\nusing PuTTY for lateral movement.\r\nCommand and Control\r\nRhysida Operators leave Anydesk services running on compromised systems to obtain remote access and maintain\r\npersistence\r\nTechnique Description\r\nT1219: Remote Access\r\nSoftware\r\nRhysida operators have been observed using the AnyDesk software to obtain\r\nremote access to victim systems and maintain persistence.\r\nExfiltration\r\nRhysida Operators exfiltrate victim data using tools like DataGrabber1 and upload it to their cloud systems. The\r\ndata is leaked or sold to the highest bidder if the victim doesn't pay the ransom.\r\nTechnique Description\r\nT1567.002: Exfiltration to\r\nCloud Storage\r\nRhysida operators exfiltrate victim user data using tools such as\r\nDataGrabber1 and upload it to their cloud VMs\r\nImpact\r\nhttps://fourcore.io/blogs/rhysida-ransomware-history-ttp-adversary-emulation\r\nPage 6 of 9\n\nRhysida Operators are financially motivated and utilise double extortion attacks to force their victims to pay.\r\nAlong with encrypting victim data, they also exfiltrate the data and threaten to publish sensitive information if the\r\nransom is not paid\r\nTechnique Description\r\nT1486: Data\r\nEncrypted for\r\nImpact\r\nRhysida operators encrypt victim data using a 4096-bit RSA encryption key that\r\nimplements a ChaCha20 algorithm.\r\nT1657: Financial\r\nTheft\r\nRhysida operators engage in “double extortion”, demanding a ransom payment to\r\ndecrypt victim data and threatening to publish the sensitive exfiltrated data unless the\r\nransom is paid\r\nT1490: Inhibit\r\nSystem Recovery\r\nRhysida Operators delete shadow copies using wmic and vssadmin, kill services\r\nrelated to backup software and change the default RDP port to 4000.\r\nRhysida Ransomware Hunting \u0026 Detection\r\nRhysida Ransomware can be hunted for in your environment via the following rules.\r\nThe following YARA rule can be utilize for hunting Rhysidia ransomware binaries.\r\n1rule rw_rhysida {\r\n2\r\n3 meta:\r\n4 author = \"Alex Delamotte\"\r\n5 description = \"Rhysida ransomware detection.\"\r\n6 sample = \"69b3d913a3967153d1e91ba1a31ebed839b297ed\"\r\n7 reference = \"https://s1.ai/rhys\"\r\n8 strings:\r\n9 $typo1 = { 63 6D 64 2E 65 78 65 20 2F 63 20 72 65 67 20 64 65 6C 65 74 65 20 22 48 4B 43 55 5C 43 6F 6\r\n10 $cmd1 = { 63 6D 64 2E 65 78 65 20 2F 63 20 72 65 67 20 61 64 64 20 22 48 4B 43 55 5C 53 6F 66 74 77 61\r\n11 $cmd2 = { 63 6D 64 2E 65 78 65 20 2F 63 20 72 65 67 20 61 64 64 20 22 48 4B 4C 4D 5C 53 6F 66 74 77 61\r\n12 $byte1 = { 48 8D 05 72 AA 05 00 48 8B 00 8B 95 }\r\n13 $byte2 = { 48 8D 15 89 CF 03 00 48 89 C1 E8 F9 1C 03 00 44 }\r\n14 condition:\r\n15 2 of them\r\n16}\r\nThe following Fortinet hunting rule can hunt for the persistence method utilized by Rhysida operators.\r\nhttps://fourcore.io/blogs/rhysida-ransomware-history-ttp-adversary-emulation\r\nPage 7 of 9\n\n1Type: (\"Value Created\") AND Registry.Name:\"socks\" AND Registry.Path: (\"HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVer\r\nFollowing detection rules can be utilized to detect LSASS Memory dumping by Rhsyida Operators.\r\nRule Link\r\nProcdump Execution Link\r\nRenamed ProcDump Execution Link\r\nPotential LSASS Process Dump Via Procdump Link\r\nDefend Against Rhysida Ransomware\r\nMost of the TTPs employed by Rhysida operators during the intrusion are typical for these ransomware\r\nintrusions, and no novel techniques were observed. This highlights the importance of understanding not just the\r\noperation of a ransomware payload but the entire process leading to its deployment. There are hallmarks of a less\r\nseasoned actor, such as the unobfuscated registry modification and PowerShell commands seen throughout the\r\nactivity.\r\nThe actors leverage various tools, from the usage of remote management tools such as AnyDesk to the\r\ndeployment of ransomware through PsExec, to facilitate such attacks. Closely monitoring those activities could\r\nhelp prevent the next ransomware attack.\r\nOur Threat Research Team has developed adversary emulation plans for the Rhysida Ransomware utilizing\r\nanalyst reports, TTPs and threat intelligence. These plans validate the effectiveness of your various security\r\ncontrols by emulating the TTPs and behaviours utilized by the Rhysida Ransomware group.\r\nhttps://fourcore.io/blogs/rhysida-ransomware-history-ttp-adversary-emulation\r\nPage 8 of 9\n\nEmulate threats continuously on the FourCore ATTACK Platform and achieve Threat-informed Defense.\r\nReferences\r\nCISA #StopRansomware: Rhysida Ransomware\r\nRhysida Incident Response\r\nCheckpoint: Activity Analysis and Ties to Vice Society\r\nSentinelOne: Rhysida Ransomware\r\nSophos: Vice Society and Rhysida Ransomware\r\nMicrosoft: Vice Society opportunistic ransomware campaigns\r\nSOC Radar Threat Profile: Rhysida Ransomware\r\nSource: https://fourcore.io/blogs/rhysida-ransomware-history-ttp-adversary-emulation\r\nhttps://fourcore.io/blogs/rhysida-ransomware-history-ttp-adversary-emulation\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://fourcore.io/blogs/rhysida-ransomware-history-ttp-adversary-emulation"
	],
	"report_names": [
		"rhysida-ransomware-history-ttp-adversary-emulation"
	],
	"threat_actors": [
		{
			"id": "a6814184-2133-4520-b7b3-63e6b7be2f64",
			"created_at": "2025-08-07T02:03:25.019385Z",
			"updated_at": "2026-04-10T02:00:03.859468Z",
			"deleted_at": null,
			"main_name": "GOLD VICTOR",
			"aliases": [
				"DEV-0832 ",
				"STAC5279 ",
				"Vanilla Tempest ",
				"Vice Society",
				"Vice Spider "
			],
			"source_name": "Secureworks:GOLD VICTOR",
			"tools": [
				"Advanced IP Scanner",
				"Advanced Port Scanner",
				"HelloKitty ransomware",
				"INC ransomware",
				"MEGAsync",
				"Neshta",
				"PAExec",
				"PolyVice ransomware",
				"PortStarter",
				"PsExec",
				"QuantumLocker ransomware",
				"Rhysida ransomware",
				"Supper",
				"SystemBC",
				"Zeppelin ransomware"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "84aa9dbe-e992-4dce-9d80-af3b2de058c0",
			"created_at": "2024-02-02T02:00:04.041676Z",
			"updated_at": "2026-04-10T02:00:03.537352Z",
			"deleted_at": null,
			"main_name": "Vanilla Tempest",
			"aliases": [
				"DEV-0832",
				"Vice Society"
			],
			"source_name": "MISPGALAXY:Vanilla Tempest",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434266,
	"ts_updated_at": 1775826753,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a18f773402de272129ab1de8d0bf7e095e374b30.pdf",
		"text": "https://archive.orkl.eu/a18f773402de272129ab1de8d0bf7e095e374b30.txt",
		"img": "https://archive.orkl.eu/a18f773402de272129ab1de8d0bf7e095e374b30.jpg"
	}
}