{ "id": "a70e75f1-6662-433c-934e-c01fe23227e6", "created_at": "2026-04-06T00:09:51.689891Z", "updated_at": "2026-04-10T03:21:02.089437Z", "deleted_at": null, "sha1_hash": "ddfe8b38d10bc6915043e73f718e5801a615af26", "title": "Investigating the New Rhysida Ransomware | FortiGuard Labs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 44919, "plain_text": "Investigating the New Rhysida Ransomware | FortiGuard Labs\r\nPublished: 2023-11-15 · Archived: 2026-04-05 19:45:50 UTC\r\nThe goal of the FortiGuard IR team is to provide organizations with valuable insights from threat analysis to\r\nbolster their security posture. We recently conducted a comprehensive analysis of an incident involving the\r\nRhysida ransomware group, shedding light on their operations, tactics, and impact, including a novel technique\r\ninvolving ESXi-based ransomware.\r\nThe Rhysida Ransomware Group\r\nThe Rhysida group was first identified in May 2023, when they claimed their first victim. This group deploys a\r\nransomware variant known as Rhysida and also offers it as Ransomware-as-a-service (RaaS). The group has listed\r\naround 50 victims so far in 2023.\r\nThe investigation conducted by the FortiGuard IR team and MDR team uncovered some of the techniques and\r\ntools used by Rhysida:\r\nThe initial detection was identified by the FortiGuard MDR team. The threat actor was observed accessing\r\nsystems in a victim's network and attempting to create memory dumps and gather user data. FortiEDR detected\r\nthese events, allowing the MDR team to analyze them further.\r\nFollowing the initial detection and triage, the FortiGuard IR team was engaged to conduct a complete analysis.\r\nAttack Details\r\nThe threat actors abuse legitimate software such as PowerShell to gain information about users and systems within\r\nthe network, PSExec to schedule tasks and make changes to registry keys to maintain persistence, AnyDesk for\r\nremote connections, and WinSCP for file transfers. The threat actors also attempt to exfiltrate data from various\r\nsystems using MegaSync.\r\nThe report also covers the additional malware the FortiGuard IR Team identified, along with a technique we don’t\r\noften see where the group deployed Windows and Linux binaries.\r\nRestricting Veeam access to only designated machines hindered the threat actors from gaining access to the\r\nbackup files. Moreover, the prudent management of passwords for vSphere fortified the victim's defense. The\r\nRhysida ransomware group is known to target vSphere and look for credentials, so the safeguards that the victim\r\nimplemented were vital to preventing widespread ransomware of the virtual infrastructure.\r\nStaying informed on the landscape of cyber threats is critical. This analysis of the Rhysida group serves as a\r\nvaluable resource for organizations. By uncovering motives and impact, the FortiGuard IR teams’ findings can\r\nguide proactive strategies.\r\nhttps://www.fortinet.com/blog/threat-research/investigating-the-new-rhysida-ransomware\r\nPage 1 of 2\n\nFor a comprehensive understanding of our investigation into Rhysida, including a list of Fortinet protections able\r\nto safeguard your organization, look at the full intrusion analysis report here.\r\nSource: https://www.fortinet.com/blog/threat-research/investigating-the-new-rhysida-ransomware\r\nhttps://www.fortinet.com/blog/threat-research/investigating-the-new-rhysida-ransomware\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.fortinet.com/blog/threat-research/investigating-the-new-rhysida-ransomware" ], "report_names": [ "investigating-the-new-rhysida-ransomware" ], "threat_actors": [], "ts_created_at": 1775434191, "ts_updated_at": 1775791262, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ddfe8b38d10bc6915043e73f718e5801a615af26.pdf", "text": "https://archive.orkl.eu/ddfe8b38d10bc6915043e73f718e5801a615af26.txt", "img": "https://archive.orkl.eu/ddfe8b38d10bc6915043e73f718e5801a615af26.jpg" } }