Rhysida Ransomware.

A ransomware-as-a-service group first observed in May 2023, known for targeting healthcare, education, and government victims and for high-profile attacks including the British Library and Insomniac Games breaches. It belongs to the Malware category of cybersecurity.

A ransomware-as-a-service group first observed in May 2023, known for targeting healthcare, education, and government victims and for high-profile attacks including the British Library and Insomniac Games breaches.

Rhysida is a ransomware-as-a-service group that emerged in May 2023 and quickly became one of the more active newcomers in the 2023–2025 cybercrime landscape, joining a wave of post-LockBit/post-ALPHV operators. The encryptor is written in C++ and uses AES-256 plus ChaCha20 hybrid encryption with file extensions changed to `.rhysida`, leaving the ransom note `CriticalBreachDetected.pdf`. Rhysida favors double-extortion: it exfiltrates data to its 'Rhysida' Tor leak site before encryption and lists victims publicly to pressure payment. The actor has hit a notably broad mix of sectors — local government, K-12 schools, hospitals (Prospect Medical, several U.K. NHS supply chains), the British Library (October 2023, a months-long outage), and Insomniac Games (Sony, December 2023). Initial access has included VPN credentials harvested by info-stealers, phishing, and exploitation of known vulnerabilities; affiliates often use Cobalt Strike, AnyDesk/Atera, and Mimikatz post-exploitation. CISA, the FBI, MS-ISAC, and U.K. NCSC published joint advisories on Rhysida TTPs in late 2023.

Defences for Rhysida Ransomware typically combine technical controls and operational practices, as detailed in the full definition above.

Common alternative names include: Rhysida.