Analysis Summary

The perpetrators of the Rhysida ransomware are involved in opportunistic attacks that focus on organizations across diverse industry sectors. CISA and the FBI have recently published a joint advisory that warns of increasing attacks by this ransomware gang

The Rhysida ransomware gang has been active since at least May 2023 and has impacted at least 62 companies since then, according to their website. The group is known for targeting organizations in multiple industries, some of which include the healthcare, education, manufacturing, government, and information technology sectors.

“Threat actors leveraging Rhysida ransomware are known to impact “targets of opportunity,” including victims in the education, healthcare, manufacturing, information technology, and government sectors,” according to the advisory.

There have been some instances of Rhysida threat actors operating as a ransomware-as-a-service (RaaS), leasing their ransomware tools and infrastructure to make profit. Any ransom received is then split between the group and affiliates.

The cybercriminals leverage external-facing remote services like RDPs and VPNs in order to gain the initial access of the targeted network and the first step to maintain persistence. The gang usually relies on stolen credentials in order to authenticate to VPN access points internally. The attackers have also been seen abusing the Zerologon vulnerability, aka CVE-2020-1472, in Microsoft’s Netlogon Remote Protocol for phishing.

Rhysida ransomware group utilizes living-off-the-land techniques like native network administration tools which can be used for malicious activities. Following is the list of tools that the group frequently uses:

  • cmd.exe
  • PowerShell.exe
  • PsExec.exe
  • mstsc.exe
  • PuTTY.exe
  • PortStarter
  • Secretsdump
  • ntdsutil.exe
  • AnyDesk
  • wevtutil.exe
  • PowerView


  • Financial Loss
  • Sensitive Data Theft
  • Credential Theft

Indicators of Compromise


  • 24a648a48741b1ac809e47b9543c6f12
  • db89ec570e6281934a5c5fcf7f4c8967


  • 078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b
  • edfae1a69522f87b12c6dac3225d930e4848832e3c551ee1e7d31736bf4525ef


  • 3e2272b916da4be3c120d17490423230ab62c174
  • 0098c79e1404b4399bf0e686d88dbf052269a302




  • Block all threat indicators at your respective controls.
  • Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
  • Continuously monitor your network and systems for any signs of suspicious or unauthorized activity. Implement intrusion detection and prevention systems to identify potential attacks.
  • Consider using Web Application Firewalls to help detect and block malicious traffic targeting vulnerabilities like the one described.
  • Implement network segmentation to isolate critical systems and sensitive data from potentially compromised systems.
  • Ensure that all software and applications on your network are up to date with the latest security patches. Regularly update operating systems, browsers, plugins, and other software components.
  • Apply the principle of least privilege, granting users and systems only the access and permissions they need to perform their tasks.
  • Regularly back up critical data and systems. In the event of a successful attack or compromise, having recent backups can help you restore operations and minimize data loss.
  • Establish a robust patch management process to promptly apply security updates and patches to all software and systems in your environment.