{
	"id": "8bbbe8b9-b3fd-4aae-a44a-d3607546f1bb",
	"created_at": "2026-04-06T00:14:02.560984Z",
	"updated_at": "2026-04-10T03:24:23.944339Z",
	"deleted_at": null,
	"sha1_hash": "d8a1de523abadea477f0c5841a6f8562c86069ee",
	"title": "What Cisco Talos knows about the Rhysida ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 435023,
	"plain_text": "What Cisco Talos knows about the Rhysida ransomware\r\nBy Cisco Talos\r\nPublished: 2023-08-08 · Archived: 2026-04-05 16:39:04 UTC\r\nTuesday, August 8, 2023 15:36\r\nCisco Talos is aware of the recent advisory published by the U.S. Department of Health and Human Services\r\n(HHS) warning the healthcare industry about Rhysida ransomware activity.\r\nAs we've discussed recently, there has been huge growth in the ransomware and extortion space, potentially linked\r\nto the plethora of leaked builders and source code related to various ransomware cartels. This is just another\r\nexample of how these groups can now quickly develop their own ransomware variants by standing on the\r\nshoulders of those criminals who had their previous work exposed publicly. Rhysida appears to have first popped\r\nup back in May, with several high-profile compromises posted on their leak site.\r\nRhysida ransomware details\r\nAs we commonly see in the ransomware space, this threat is delivered through a variety of mechanisms which can\r\ninclude phishing and being dropped as secondary payloads from command and control (C2) frameworks like\r\nCobalt Strike. These frameworks are commonly delivered as part of traditional commodity malware, so infection\r\nchains can vary widely.\r\nThe group itself likes to pretend to be a cybersecurity organization as shown in the ransom note below. They claim\r\nto have compromised the company and are willing to help resolve the issue.  These types of approaches are not\r\nuncommon — historically, groups have done things like provide \"security reports\" to compromised organizations\r\nto help them \"resolve the issue.\"\r\nhttps://blog.talosintelligence.com/rhysida-ransomware/\r\nPage 1 of 5\n\nSample ransom note.\r\nThe group appears to commonly deploy double extortion — of the victims that have been listed on the leak site,\r\nseveral of them have had some portion of their exfiltrated data exposed.\r\nEncryption algorithm\r\nRhysida’s encryption algorithm is relatively straightforward and uses the ChaCha20 encryption algorithm. We\r\nhave seen this algorithm deployed by other groups before, either as a standalone encryption algorithm or as part of\r\na more custom approach. Rhysida will enumerate through directories and files in directories starting from “A:” to\r\n“Z:” drives, ensure they’re missing from the “exclude list” and then “process,” i.e., encrypt the files. Once\r\nencrypted, the file is then renamed to “\u003cfilename\u003e.rhysida”.\r\nhttps://blog.talosintelligence.com/rhysida-ransomware/\r\nPage 2 of 5\n\nRhysida’s algorithm for “processing” files.\r\nThe file exclusion list maintained in Rhysida samples is most of the usual system directories required for the\r\noperating system to function:\r\nExcluded folders.\r\nExcluded extensions include:\r\nhttps://blog.talosintelligence.com/rhysida-ransomware/\r\nPage 3 of 5\n\n.bat .bin .cab .cmd .com .cur .diagcab .diagcfg, .diagpkg .drv .dll .exe .hlp .hta .ico .lnk .msi .ocx .ps1 .psm1 .scr\r\n.sys .ini Thumbs.db .url .iso .cab\r\nAfter encryption, the ransomware will display the ransom note by creating and opening it as a PDF and the\r\nbackground wallpaper. The PDF usually named  “CriticalBreachDetected.pdf” is generated using content\r\nembedded in the ransomware binary, including the skeleton PDF and the ransom note (shown above). The ransom\r\nnote is also used to generate a message in the form of the background wallpaper typically located at\r\n“C:/Users/Public/bg.jpg”.\r\nThis new ransomware variant doesn't have any novel features or functionality and points to the challenges\r\norganizations are facing as the landscape continues to shift and a plethora of new actors join their ranks. This isn't\r\neven the only new ransomware group we've written about this week.\r\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here.\r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here.\r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nthreat.\r\nCisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically\r\nand alerts users of potentially unwanted activity on every connected device.\r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products.\r\nUmbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and\r\nURLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.\r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites\r\nand tests suspicious sites before users access them.\r\nhttps://blog.talosintelligence.com/rhysida-ransomware/\r\nPage 4 of 5\n\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.\r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork.\r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nCisco Talos is releasing the following Snort SIDs to protect against this threat: 62220 - 62229, 300653 - 300657.\r\nIndicators of compromise\r\nD5C2F87033A5BAEEB1B5B681F2C4A156FF1C05CCD1BFDAF6EAE019FC4D5320EE\r\n1A9C27E5BE8C58DA1C02FC4245A07831D5D431CDD1A91CD35D2DD0AD62DA71CD\r\n258DDD78655AC0587F64D7146E52549115B67465302C0CBD15A0CBA746F05595\r\n0BB0E1FCFF8CCF54C6F9ECFD4BBB6757F6A25CB0E7A173D12CF0F402A3AE706F\r\nF6F74E05E24DD2E4E60E5FB50F73FC720EE826A43F2F0056E5B88724FA06FBAB\r\n250E81EEB4DF4649CCB13E271AE3F80D44995B2F8FFCA7A2C5E1C738546C2AB1\r\nA864282FEA5A536510AE86C77CE46F7827687783628E4F2CEB5BF2C41B8CD3C6\r\n6903B00A15EFF9B494947896F222BD5B093A63AA1F340815823645FD57BD61DE\r\n3BC0340007F3A9831CB35766F2EB42DE81D13AEB99B3A8C07DEE0BB8B000CB96\r\n2A3942D213548573AF8CB07C13547C0D52D1C3D72365276D6623B3951BD6D1B2\r\nSource: https://blog.talosintelligence.com/rhysida-ransomware/\r\nhttps://blog.talosintelligence.com/rhysida-ransomware/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.talosintelligence.com/rhysida-ransomware/"
	],
	"report_names": [
		"rhysida-ransomware"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434442,
	"ts_updated_at": 1775791463,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d8a1de523abadea477f0c5841a6f8562c86069ee.pdf",
		"text": "https://archive.orkl.eu/d8a1de523abadea477f0c5841a6f8562c86069ee.txt",
		"img": "https://archive.orkl.eu/d8a1de523abadea477f0c5841a6f8562c86069ee.jpg"
	}
}