{
	"id": "c5dd386a-c6b2-40c7-aaf6-04c81529cf30",
	"created_at": "2026-04-06T00:11:32.684729Z",
	"updated_at": "2026-04-10T03:20:41.985204Z",
	"deleted_at": null,
	"sha1_hash": "a75d4e2a8c8e6d7d4995ce445731d518c81ce211",
	"title": "Rhysida Ransomware | RaaS Crawls Out of Crimeware Undergrowth to Attack Chilean Army",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5736654,
	"plain_text": "Rhysida Ransomware | RaaS Crawls Out of Crimeware Undergrowth to\r\nAttack Chilean Army\r\nBy Alex Delamotte \u0026 Jim Walter\r\nPublished: 2023-06-29 · Archived: 2026-04-05 19:33:28 UTC\r\nThe Rhysida ransomware-as-a-service (RaaS) group has gone from a dubious newcomer to a fully-fledged ransomware\r\noperation. Despite the developer’s partial implementation of some features, the group emerged onto the scene at the end of\r\nMay with a high-profile attack against the Chilean Army, continuing the ongoing trend of ransomware groups targeting\r\nLatin American government institutions. On June 15, the group leaked the files stolen from the Chilean Army.\r\nIn this post, we provide a high-level overview of Rhysida ransomware activity and present technical details of the malware\r\npayloads, along with hunting rules and IoCs to aid threat hunters and security teams.\r\nRecent Attacks Attributed to Rhysida\r\nOn May 29 2023, the Chilean Army reported that it had been the target of a cyberattack affecting the organization’s internal\r\nnetwork on Saturday, May 27. The attack was later attributed to Rhysida.\r\nStrategically, the Rhysida group’s attack against the army of Chile distinguishes this newcomer from the sea of ransomware\r\nnewcomers. It should be noted that Rhysida is an apparently independent ransomware group: SentinelOne has not observed\r\nany overt connections to existing ransomware operations. As such, any potential geopolitical ramifications from attacking\r\nChile’s government are as yet unclear. This is not the first time a Chilean governmental organization has been compromised\r\nby a new ransomware family, as demonstrated by the ARCrypter attack in November 2022.\r\nThe attack was followed by the leaking of data belonging to the army on June 15th. Through the week of June 19 2023,\r\nRhysida’s leaks page displayed an influx of further victims, including multiple organizations in each of the following\r\nsectors:\r\nEducation\r\nGovernment\r\nManufacturing\r\nTechnology and Managed Service Providers (MSP)\r\nVictims are distributed throughout Western Europe, North \u0026 South America, and Australia, loosely aligning the group’s\r\ntargeting with many ransomware operations that avoid targeting countries in Eastern Europe and Central Asia’s\r\nhttps://www.sentinelone.com/blog/rhysida-ransomware-raas-crawls-out-of-crimeware-undergrowth-to-attack-chilean-army/\r\nPage 1 of 8\n\nCommonwealth of Independent States. There are no Asian organizations posted at this time.\r\nOperational Overview\r\nThe Rhysida ransomware group was first observed in May of 2023, following the emergence of their victim support chat\r\nportal, hosted via TOR ( .onion ).  The name “Rhyshida” refers to a specific genus of centipede.  This is also reflected in\r\nthe ‘branding’ on their victim blog.\r\nThe genus Rhysida and the Rhysida ransomware logo\r\nAn Apache configuration status page reveals that the web server hosting the portal was first set up in March 2023. The group\r\nhas since migrated their blog to a more ‘hardened’ instance of nginx, and these server configuration details and status are no\r\nlonger visible. This move may have been prompted by the original IP address being exposed across various underground\r\nforums and markets.\r\nRhysida RaaS: Leakage of original blog IP address\r\nRhysida is a privately marketed RaaS without known forum presence. The group positions themselves as a “cybersecurity\r\nteam” who are doing their victims a favor by targeting their systems and highlighting the potential ramifications of the\r\ninvolved security issues. The group threatens victims with public distribution of the exfiltrated data, bringing them in line\r\nwith modern-day multi-extortion groups.\r\nThe groups website also serves as a portal for Rhysida-centric news and media coverage, as well as details on how to contact\r\nthe group should journalists, recovery firms or “fans” be inclined to do so.\r\nhttps://www.sentinelone.com/blog/rhysida-ransomware-raas-crawls-out-of-crimeware-undergrowth-to-attack-chilean-army/\r\nPage 2 of 8\n\nRhysida’s ‘communication portal’\r\nVictims are instructed to contact the attackers via their TOR-based portal, utilizing their unique identifier provided in the\r\nransom notes. Rhysida accepts payment in Bitcoin only, providing information on the purchase and use of BTC on the\r\nvictim portal as well. Upon providing their unique ID to the payment portal, an additional form is presented that allows\r\nvictims to provide additional information to the attackers, such as authentication and contact details.\r\nRhysida portal’s additional details form\r\nTechnical Details\r\nRhysida is a 64-bit Portable Executable (PE) Windows cryptographic ransomware application compiled using\r\nMINGW/GCC. In each sample analyzed, the application’s program name is set to Rhysida-0.1 , suggesting the tool is in\r\nearly stages of development.\r\nA notable characteristic of the tool is its plain-text strings revealing registry modification commands.\r\nRhysida Encryption \u0026 File Processing\r\nFor encryption, Rhysida uses a 4096-bit RSA key with the ChaCha20 algorithm. Its main function initializes the\r\nransomware’s overall runtime, including encryption specifics. The main function contains several nested if-else conditions\r\nthat handle arguments that specify different encryption implementations. The processFileEnc function contains code\r\nblocks for other encryption methods, including Rijndael, though the preceding functions are prefixed “test”.\r\nprocessFileEnc calls  init_prng , which initializes the encryption routine’s pseudo-random number generator that is\r\npassed to the chacha_crypt function.\r\nhttps://www.sentinelone.com/blog/rhysida-ransomware-raas-crawls-out-of-crimeware-undergrowth-to-attack-chilean-army/\r\nPage 3 of 8\n\nEncryption function call graph from main to chacha_crypt\r\nThe processFileEnc function contains code that lists files and parses the current file name. Following encryption, Rhysida\r\nappends the .rhysida extension to the name of encrypted files.\r\nAfter the encryption details are established, Rhysida enumerates files and folders connected to the system. The main\r\nfunction ends by calling PowerShell to delete the binary after encryption has completed.\r\nRhysida main function encryption checks\r\nhttps://www.sentinelone.com/blog/rhysida-ransomware-raas-crawls-out-of-crimeware-undergrowth-to-attack-chilean-army/\r\nPage 4 of 8\n\nRhysida uses a file exclusion list to avoid encrypting certain files. This check occurs in the isFileExcluded function,\r\nwhich compares the current file extension against exclude_extensions , an array that contains the following excluded file\r\nextensions:\r\n[ bat, bin,\r\n cab, cmd, com, cur,\r\n diagcab, diagcfg, diagpkg, drv, dll,\r\n exe,\r\n hlp, hta,\r\n ico, ini, iso,\r\n lnk,\r\n msi,\r\n ocx,\r\n ps1, psm1,\r\n scr, sys,\r\n Thumbs-db,\r\n url\r\n]\r\nThis function initializes two variables, exclude_i as 0 and exclude_c as 11, which iterate through the array of 27\r\nexcluded file extensions and the length of the current file name.\r\nRhysida’s isFileExcluded function\r\nExtended features, beyond encrypting files, are still not present in current variations of Rhysida. The most recent of analyzed\r\nsamples continue to lack commodity features like VSS Removal, multiple persistence mechanisms, process termination or\r\nunhooking.\r\nRansom Note \u0026 Victim Notification\r\nRhysida generates the ransom note as a PDF document. The content of the doc is embedded in the binary in clear text. This\r\nis a missed opportunity for the actors: PDF is a powerful document format that enables data to be encoded in many ways,\r\noften not in clear text. If the developer embeds the PDF object within the binary instead of constructing the PDF at runtime\r\nfrom unencrypted strings, Rhysida would evade string-based detection based on ransom note language.\r\nhttps://www.sentinelone.com/blog/rhysida-ransomware-raas-crawls-out-of-crimeware-undergrowth-to-attack-chilean-army/\r\nPage 5 of 8\n\nRhysida ransom note, CriticalBreachDetected.pdf\r\nRhysida’s setBG function is designed to create a new image, write it to C:\\Users\\Public\\bg.jpg , and run registry\r\nmodifications via cmd.exe to change the wallpaper and prevent the victim’s ability to change it. During SentinelOne’\r\nanalysis, this process did not execute successfully and the JPG is not written to disk.\r\nRhysida’s setBG function\r\nThe setBG function pulls elements from the PDF ransom note and allocates them to a buffer, which then is inserted into a\r\nnew JPG image. The developer misspelled Control Panel as Conttol Panel in two of the registry modification commands.\r\nWe patched the binary to correct the spelling, but the wallpaper still did not change.\r\nIt is of note that this misspelling flaw persists across versions of Rhysida. Original versions (example:\r\n69b3d913a3967153d1e91ba1a31ebed839b297ed ) compiled on May 15, 2023 as well as the sample associated with the\r\nChilean Army attack ( 338d4f4ec714359d589918cee1adad12ef231907 , compiled on May, 27, 2023) each contain this issue.\r\nSentinelOne Protects Against Rhysida Ransomware\r\nhttps://www.sentinelone.com/blog/rhysida-ransomware-raas-crawls-out-of-crimeware-undergrowth-to-attack-chilean-army/\r\nPage 6 of 8\n\nThe SentinelOne Agent detects Rhysida ransomware and prevents execution and file encryption.\r\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nFor details about Rhysida and other ransomware families, visit SentinelOne’s Ransomware Anthology page.\r\nConclusion\r\nRhysida represents an unusual combination of techniques that suggest the developer is thinking outside the confines of\r\ncontemporary ransomware. Features like the PDF ransom note could be leveraged for enhanced stealth, while the wallpaper\r\nchanging feature is quite obtrusive, though not yet functional.\r\nThere are hallmarks of a less seasoned actor, such as the unobfuscated registry modification and PowerShell commands seen\r\nthroughout the program. However, these are cosmetic fixes. Time will tell whether the developer’s choice to omit ubiquitous\r\nfeatures, such as VSS copy deletion, will pay off or be supplemented through tools outside of the Rhysida application.\r\nIndicators of Compromise (IOC)\r\nSHA1 Description\r\n69b3d913a3967153d1e91ba1a31ebed839b297ed Rhysida PE first reported by MalwareHunterTeam\r\n338d4f4ec714359d589918cee1adad12ef231907 Rhysida PE used in attack against Chilean Army\r\nb07f6a5f61834a57304ad4d885bd37d8e1badba8 Rhysida PE, crashes during analysis\r\nYARA Hunting Rule\r\nSentinelOne is providing the following YARA rule that defenders can use to identify Rhysida ransomware binaries.\r\nrule rw_rhysida {\r\nmeta:\r\nauthor = \"Alex Delamotte\"\r\ndescription = \"Rhysida ransomware detection.\"\r\nsample = \"69b3d913a3967153d1e91ba1a31ebed839b297ed\"\r\nhttps://www.sentinelone.com/blog/rhysida-ransomware-raas-crawls-out-of-crimeware-undergrowth-to-attack-chilean-army/\r\nPage 7 of 8\n\nreference = \"https://s1.ai/rhys\"\r\nstrings:\r\n$typo1 = { 63 6D 64 2E 65 78 65 20 2F 63 20 72 65 67 20 64 65 6C 65 74 65 20 22 48 4B 43 55 5C\r\n$cmd1 = { 63 6D 64 2E 65 78 65 20 2F 63 20 72 65 67 20 61 64 64 20 22 48 4B 43 55 5C 53 6F 66\r\n$cmd2 = { 63 6D 64 2E 65 78 65 20 2F 63 20 72 65 67 20 61 64 64 20 22 48 4B 4C 4D 5C 53 6F 66\r\n$byte1 = { 48 8D 05 72 AA 05 00 48 8B 00 8B 95 }\r\n$byte2 = { 48 8D 15 89 CF 03 00 48 89 C1 E8 F9 1C 03 00 44 }\r\ncondition:\r\n2 of them\r\n}\r\nSource: https://www.sentinelone.com/blog/rhysida-ransomware-raas-crawls-out-of-crimeware-undergrowth-to-attack-chilean-army/\r\nhttps://www.sentinelone.com/blog/rhysida-ransomware-raas-crawls-out-of-crimeware-undergrowth-to-attack-chilean-army/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.sentinelone.com/blog/rhysida-ransomware-raas-crawls-out-of-crimeware-undergrowth-to-attack-chilean-army/"
	],
	"report_names": [
		"rhysida-ransomware-raas-crawls-out-of-crimeware-undergrowth-to-attack-chilean-army"
	],
	"threat_actors": [],
	"ts_created_at": 1775434292,
	"ts_updated_at": 1775791241,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a75d4e2a8c8e6d7d4995ce445731d518c81ce211.pdf",
		"text": "https://archive.orkl.eu/a75d4e2a8c8e6d7d4995ce445731d518c81ce211.txt",
		"img": "https://archive.orkl.eu/a75d4e2a8c8e6d7d4995ce445731d518c81ce211.jpg"
	}
}