Rhysida Ransomware
Rhysida Ransomware 是什么?
Rhysida RansomwareA ransomware-as-a-service group first observed in May 2023, known for targeting healthcare, education, and government victims and for high-profile attacks including the British Library and Insomniac Games breaches.
Rhysida is a ransomware-as-a-service group that emerged in May 2023 and quickly became one of the more active newcomers in the 2023–2025 cybercrime landscape, joining a wave of post-LockBit/post-ALPHV operators. The encryptor is written in C++ and uses AES-256 plus ChaCha20 hybrid encryption with file extensions changed to `.rhysida`, leaving the ransom note `CriticalBreachDetected.pdf`. Rhysida favors double-extortion: it exfiltrates data to its 'Rhysida' Tor leak site before encryption and lists victims publicly to pressure payment. The actor has hit a notably broad mix of sectors — local government, K-12 schools, hospitals (Prospect Medical, several U.K. NHS supply chains), the British Library (October 2023, a months-long outage), and Insomniac Games (Sony, December 2023). Initial access has included VPN credentials harvested by info-stealers, phishing, and exploitation of known vulnerabilities; affiliates often use Cobalt Strike, AnyDesk/Atera, and Mimikatz post-exploitation. CISA, the FBI, MS-ISAC, and U.K. NCSC published joint advisories on Rhysida TTPs in late 2023.
● 示例
- 01
Rhysida claimed responsibility for the October 2023 British Library attack, which disrupted catalog, payment, and IT systems for many months.
- 02
An MSSP detects Rhysida pre-encryption by alerting on Atera / AnyDesk installations on unmanaged servers, a recurring tradecraft pattern.
● 常见问题
Rhysida Ransomware 是什么?
A ransomware-as-a-service group first observed in May 2023, known for targeting healthcare, education, and government victims and for high-profile attacks including the British Library and Insomniac Games breaches. 它属于网络安全的 恶意软件 分类。
Rhysida Ransomware 是什么意思?
A ransomware-as-a-service group first observed in May 2023, known for targeting healthcare, education, and government victims and for high-profile attacks including the British Library and Insomniac Games breaches.
Rhysida Ransomware 是如何工作的?
Rhysida is a ransomware-as-a-service group that emerged in May 2023 and quickly became one of the more active newcomers in the 2023–2025 cybercrime landscape, joining a wave of post-LockBit/post-ALPHV operators. The encryptor is written in C++ and uses AES-256 plus ChaCha20 hybrid encryption with file extensions changed to `.rhysida`, leaving the ransom note `CriticalBreachDetected.pdf`. Rhysida favors double-extortion: it exfiltrates data to its 'Rhysida' Tor leak site before encryption and lists victims publicly to pressure payment. The actor has hit a notably broad mix of sectors — local government, K-12 schools, hospitals (Prospect Medical, several U.K. NHS supply chains), the British Library (October 2023, a months-long outage), and Insomniac Games (Sony, December 2023). Initial access has included VPN credentials harvested by info-stealers, phishing, and exploitation of known vulnerabilities; affiliates often use Cobalt Strike, AnyDesk/Atera, and Mimikatz post-exploitation. CISA, the FBI, MS-ISAC, and U.K. NCSC published joint advisories on Rhysida TTPs in late 2023.
如何防御 Rhysida Ransomware?
针对 Rhysida Ransomware 的防御通常结合技术控制与运营实践,详见上方完整定义。
Rhysida Ransomware 还有哪些其他名称?
常见的别称包括: Rhysida。
● 相关术语
- malware№ 1004
勒索软件
对受害者数据进行加密或锁定系统,并要求支付赎金以恢复访问的恶意软件。
- malware№ 1006
勒索软件即服务(RaaS)
一种犯罪商业模式,勒索软件运营者将其恶意软件和基础设施租赁给执行攻击的关联方(affiliate),并按比例分成。
- defense-ops№ 1005
勒索软件团伙
以经济利益为动机的网络犯罪团伙,开发、运营或分发勒索软件,通过加密文件与数据泄露威胁勒索组织。
- attacks№ 307
数据外泄
敏感数据因配置错误或人为疏忽而意外暴露,通常不是攻击者主动入侵造成的。
- defense-ops№ 695
LockBit
讲俄语的勒索软件即服务运营组织,2022—2024 年成为全球最活跃的勒索软件品牌,直至被 Cronos 行动重创。
- defense-ops№ 115
BlackCat / ALPHV
基于 Rust 编写的勒索软件即服务运营组织,2021 年末至 2024 年活跃,以跨平台加密器与激进的多阶段勒索著称。