Ransomware Group
Rhysida
Also known as: Rhysida Ransomware
Status: active • First seen 2023-05 • 100+ known victims
Rhysida is a newer ransomware gang that's been hitting hospitals hard. They broke into a major children's hospital and threatened to sell patient data. The FBI and CISA issued emergency warnings about them because they keep targeting healthcare. They steal data before encrypting and threaten to auction it off if you don't pay.
Overview
Rhysida is a ransomware-as-a-service operation that emerged in 2023 and quickly gained notoriety for attacking healthcare organizations, including hospitals and health systems. The group is known for aggressive double extortion tactics and has been linked to Vice Society operators.
Target Industries
Healthcare, Education, Government, Manufacturing, Information Technology
How They Attack
- • Phishing with malicious attachments
- • Exploiting Zerologon vulnerability (CVE-2020-1472)
- • Using valid VPN credentials
- • Living-off-the-land techniques (PowerShell, PsExec)
- • Cobalt Strike deployment
Notable Victims
Lurie Children's Hospital (2024), Prospect Medical Holdings (2023), British Library (2023), Chilean Army (2023), Insomniac Games (2023)
Is your business exposed?
How to Protect Against Rhysida
- 1.
Patch Zerologon (CVE-2020-1472) immediately if not done
- 2.
Review VPN access logs for suspicious logins
- 3.
Implement PowerShell logging and monitoring
- 4.
Segment sensitive healthcare data networks
- 5.
Enable Protected Users security group for privileged accounts
MITRE ATT&CK Techniques
Related Groups
Is your business exposed?
Check if your company data is circulating on the dark web
Free scan • No credit card required