{ "id": "b23d023d-eb35-47f8-a3fd-1c6fa739687d", "created_at": "2026-04-06T00:08:03.944556Z", "updated_at": "2026-04-10T03:34:18.768402Z", "deleted_at": null, "sha1_hash": "cb519e1de7646d511bb6d9b77904c19edb1698ad", "title": "Rhysida ransomware behind recent attacks on healthcare", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2593482, "plain_text": "Rhysida ransomware behind recent attacks on healthcare\r\nBy Bill Toulas\r\nPublished: 2023-08-09 · Archived: 2026-04-05 20:57:38 UTC\r\nThe Rhysida ransomware operation is making a name for itself after a wave of attacks on healthcare organizations has\r\nforced government agencies and cybersecurity companies to pay closer attention to its operations.\r\nFollowing a security bulletin by the U.S. Department of Health and Human Services (HHS), CheckPoint, Cisco Talos, and\r\nTrend Micro have all released reports on Rhysida, focusing on different aspects of the threat actor's operations.\r\nPreviously, in June, Rhysida drew attention for the first time after leaking documents stolen from the Chilean Army (Ejército\r\nde Chile) on its data leak site.\r\nhttps://www.bleepingcomputer.com/news/security/rhysida-ransomware-behind-recent-attacks-on-healthcare/\r\nPage 1 of 7\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/rhysida-ransomware-behind-recent-attacks-on-healthcare/\r\nPage 2 of 7\n\nVisit Advertiser websiteGO TO PAGE\r\nAt the time, a preliminary analysis of the Rhysida encryptor by SentinelOne showed that the ransomware was in early\r\ndevelopment, missing standard features seen in most strains like persistence mechanisms, Volume Shadow Copy wiping,\r\nprocess termination, etc.\r\n\"This is an automated alert from cybersecurity team Rhysida,\" reads the Rhysida ransom note.\r\n\"An unfortunate situation has arisen – your digital ecosystem has been compromised, and a substantial amount of\r\nconfidential data has been exfiltrated from your network.\"\r\nRhysida ransom note\r\nSource: BleepingComputer\r\nRhysida targets healthcare orgs\r\nWhile some ransomware operations claim not to intentionally target healthcare organizations and even provide free\r\ndecryption keys if done by mistake, Rhysida does not appear to follow the same policy.\r\nThe Rhysida dark web data leak site lists a healthcare organization in Australia, giving them a week to pay a ransom before\r\nthe stolen data is leaked.\r\nhttps://www.bleepingcomputer.com/news/security/rhysida-ransomware-behind-recent-attacks-on-healthcare/\r\nPage 3 of 7\n\nRhysida dark web data leak site\r\nSource: BleepingComputer\r\nA bulletin published by the U.S. Department of Health and Human Services (HHS) last week warned that while Rhysida still\r\nuses an elementary locker, the scale of its activities has grown to dangerous proportions, and recently, the threat actors\r\ndemonstrated a focus on the healthcare and public sector.\r\n\"Its victims are distributed throughout several countries across Western Europe, North, South America, and Australia,\" reads\r\nHHS's bulletin.\r\n\"They primarily attack education, government, manufacturing, and technology and managed service provider sectors;\r\nhowever, there has been recent attacks against the Healthcare and Public Health (HPH) sector.\"\r\nSources have told BleepingComputer that Rhysida is behind a recent cyberattack on Prospect Medical Holdings, which still\r\nexperiences a system-wide outage impacting 17 hospitals and 166 clinics across the United States. \r\nHowever, Rhysida has not taken responsibility for the attack yet, and PMH has not responded to emails on whether the\r\nransomware gang is behind the attack.\r\nIf you have first-hand information about this or other unreported cyberattacks, you can confidentially contact us on Signal\r\nat +16469613731.\r\nA Trend Micro report released today focuses on the most commonly observed Rhysida attack chain, explaining that the\r\nthreat group uses phishing emails to achieve initial access, then deploys Cobalt Strike and PowerShell scripts, and\r\neventually drops the locker.\r\nAn interesting observation from Trend Micro's analysts is that the PowerShell scripts used by Rhysida operators terminate\r\nAV processes, delete shadow copies, and modify RDP configurations, indicating the locker's active development.\r\nA ransomware encryptor itself usually handles these tasks, but for the Rhysida operation, they use external scripts to achieve\r\nthe same purposes.\r\nhttps://www.bleepingcomputer.com/news/security/rhysida-ransomware-behind-recent-attacks-on-healthcare/\r\nPage 4 of 7\n\nRhysida's latest attack chain (Trend Micro)\r\nCisco Talos' report confirms that the most recent Rhysida locker uses a 4096-bit RSA key with the ChaCha20 algorithm for\r\nfile encryption and now excludes several directories as well as the following filetypes:\r\n.bat .bin .cab .cmd .com .cur .diagcab .diagcfg, .diagpkg .drv .dll .exe .hlp .hta .ico .lnk .msi .ocx .ps1 .psm1 .scr .s\r\nDirectories excluded from encryption\r\nSource: Cisco\r\nCheckPoint's report goes a step further, linking Rhysida to the now-defunct Vice Society ransomware operation, based on\r\nthe victim publishing times on the two extortion sites and their similar victim targeting patterns..\r\nhttps://www.bleepingcomputer.com/news/security/rhysida-ransomware-behind-recent-attacks-on-healthcare/\r\nPage 5 of 7\n\nComparison of activity change in Vice Society and Rhysida (CheckPoint)\r\nIn conclusion, Rhysida has established itself in the ransomware space quickly, targeting organizations in various sectors and\r\nshowing no hesitation in attacking hospitals.\r\nAlthough the RaaS appeared to move too quickly in terms of operations while the technical aspect lagged behind,\r\ndevelopments on that front show that the locker is catching up.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nhttps://www.bleepingcomputer.com/news/security/rhysida-ransomware-behind-recent-attacks-on-healthcare/\r\nPage 6 of 7\n\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/rhysida-ransomware-behind-recent-attacks-on-healthcare/\r\nhttps://www.bleepingcomputer.com/news/security/rhysida-ransomware-behind-recent-attacks-on-healthcare/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.bleepingcomputer.com/news/security/rhysida-ransomware-behind-recent-attacks-on-healthcare/" ], "report_names": [ "rhysida-ransomware-behind-recent-attacks-on-healthcare" ], "threat_actors": [ { "id": "a6814184-2133-4520-b7b3-63e6b7be2f64", "created_at": "2025-08-07T02:03:25.019385Z", "updated_at": "2026-04-10T02:00:03.859468Z", "deleted_at": null, "main_name": "GOLD VICTOR", "aliases": [ "DEV-0832 ", "STAC5279 ", "Vanilla Tempest ", "Vice Society", "Vice Spider " ], "source_name": "Secureworks:GOLD VICTOR", "tools": [ "Advanced IP Scanner", "Advanced Port Scanner", "HelloKitty ransomware", "INC ransomware", "MEGAsync", "Neshta", "PAExec", "PolyVice ransomware", "PortStarter", "PsExec", "QuantumLocker ransomware", "Rhysida ransomware", "Supper", "SystemBC", "Zeppelin ransomware" ], "source_id": "Secureworks", "reports": null }, { "id": "84aa9dbe-e992-4dce-9d80-af3b2de058c0", "created_at": "2024-02-02T02:00:04.041676Z", "updated_at": "2026-04-10T02:00:03.537352Z", "deleted_at": null, "main_name": "Vanilla Tempest", "aliases": [ "DEV-0832", "Vice Society" ], "source_name": "MISPGALAXY:Vanilla Tempest", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434083, "ts_updated_at": 1775792058, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cb519e1de7646d511bb6d9b77904c19edb1698ad.pdf", "text": "https://archive.orkl.eu/cb519e1de7646d511bb6d9b77904c19edb1698ad.txt", "img": "https://archive.orkl.eu/cb519e1de7646d511bb6d9b77904c19edb1698ad.jpg" } }