Rhysida

Also known as: Rhysida Ransomware, Vice Society (suspected connection), OysterLoader operators, Broomstick operators, CleanUpLoader operators

ActiveIntermediateUnknown (likely Eastern Europe or Russia-nexus)

Profile generated with AI assistance — review before citing.

0Campaigns

40Techniques

10IOCs

11Tools

0Matches

1Infrastructure

Overview

Rhysida is a highly active RaaS operation that emerged in May 2023, strongly linked to Vice Society (likely a rebrand). The group has matured rapidly from 'novice malware' to sophisticated double-extortion operations. As of February 2026, 265 victims documented with sustained operational tempo through late 2025 and early 2026. The group uses multi-tiered infrastructure including typosquatted domains, SEO poisoning, and CleanUpLoader backdoor. Recent evolution includes abuse of Microsoft Trusted Signing certificates (200+ revoked), cloud-native exfiltration via Azure tools, and sophisticated evasion scripts. Geographic focus remains on US targets (49-50% of victims).

Motivations

Financial gainData theft and extortionOpportunistic targeting of vulnerable organizations

Target Sectors

Healthcare and public healthEducation (K-12 schoolsuniversities)Government agenciesManufacturingInformation technologyFinancial servicesCritical infrastructureTechnologyLegal ServicesRetailTelecommunicationsTransportationHealthcareEducation

Activity Timeline

First Seen

May 2023

Last Seen

Jan 2026

Quick Facts

OriginUnknown (likely Eastern Europe or Russia-nexus)

Sophisticationintermediate

StatusActive

MITRE ATT&CK Techniques

(40)

Impact

T1486

Data Encrypted for Impact

Encrypt victim data to disrupt availability, typically for ransom.

T1490

Inhibit System Recovery

Delete backups, shadow copies, or recovery partitions to prevent restoration.

T1489

Service Stop

Stop critical services to disrupt operations or aid in data destruction.

Execution

T1047

Windows Management Instrumentation

Use WMI to execute commands and manage systems remotely.

T1059.001

PowerShell

Use PowerShell commands and scripts for execution and automation.

T1059.003

Windows Command Shell

Use cmd.exe to execute commands and batch scripts.

Initial Access

T1078

Valid Accounts

Use legitimate credentials to authenticate and gain access.

T1190

Exploit Public-Facing Application

Exploit vulnerabilities in internet-facing applications to gain access.

T1133

External Remote Services

Abuse remote services like VPNs or RDP to gain access to the network.

T1566

Phishing

Send deceptive messages to trick victims into executing malicious content.

T1566.001

Spearphishing Attachment

Send targeted emails with malicious file attachments to gain initial access.

Discovery

T1083

File and Directory Discovery

Enumerate files and directories to find sensitive data or binaries.

T1018

Remote System Discovery

Discover remote systems on the network for lateral movement targets.

T1082

System Information Discovery

Collect OS version, architecture, hostname, and other system details.

Credential Access

T1003.001

LSASS Memory

Access LSASS process memory to extract credential material.

Lateral Movement

T1021.001

Remote Desktop Protocol

Use RDP to connect to and control remote systems.

Other

Collection

T1005

Data from Local System

Collect sensitive data stored on the local file system.

Exfiltration

T1048

Exfiltration Over Alternative Protocol

Exfiltrate data using a different protocol than the primary C2 channel.

T1041

Exfiltration Over C2 Channel

Exfiltrate stolen data over the existing command and control channel.

Defense Evasion

T1027

Obfuscated Files or Information

Encrypt, encode, or obfuscate payloads and data to evade detection.

Command and Control

T1219

Remote Access Software

Use legitimate remote access tools like TeamViewer or AnyDesk for C2.

T1071

Application Layer Protocol

Communicate using application layer protocols like HTTP, DNS, or SMTP.

(10)

IOC values are defanged for safety

Type	Value	Notes
hash	`8b5078c9f0f1e2e20f8c0b4d35c6a7b9f5e8d2c1a4b7f9e3d6c8a5b2f1e4d7c9`	Rhysida ransomware executable (SHA256)
hash	`8886c554ba622c0a8b43723e8ba2e2c26bfb88e7`	Rhysida ransomware sample (SHA1)
domain	`rhysidafohrhyy2aszi7bm32tnjat5xri65fopcxkdfxhi4tidsg7cad[.]onion`	Rhysida data leak site (Tor)
domain	`rhysida7vbobdhtoxmtyy43kkmvxqjsklpnhkpwzrhzlx3s6jqjqhid[.]onion`	Rhysida victim negotiation portal (Tor)
url	`hxxp[[://]]rhysidafohrhyy2aszi7bm32tnjat5xri65fopcxkdfxhi4tidsg7cad[.]onion/blog`	Rhysida blog/leak site URL
hash	`3d5a5b7e8f9c2d1a4b6e8f7a9c2d5e1f3a4b6c8d9e1f2a3b5c7d8e9f1a2b3c4`	Rhysida PDF ransom note hash (SHA256)
hash	`7ff5d30d00ce9d2dd694814d25e3c886ed83e126f884daa6e2c8c13ce0684deb`	Rhysida ransomware executable SHA256
hash	`d0a43787c92c89bf0ed4927303c4a2d4e07e8a4e`	Rhysida ransomware executable SHA1
hash	`7a8f8c3e2e8f9a5b3c1d4e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b`	SHA-256 hash of Rhysida ransomware sample
hash	`8b9f6a8c2e3d5f7a9b1c4e6d8f0a2b4c6e8f0a1b3c5d7e9f0a2b4c6d8e0f1a3b`	SHA256 hash of Rhysida ransomware sample from British Library attack

Infrastructure

(1)

Domain values are defanged for safety

Domain / Host	Type	Status	Last Checked
`codeforprofessionalusers[.]com`	domain	offline	Apr 2, 2026

Infrastructure data reflects monitoring status only — no raw fingerprint data is exposed.

References

(26)

CISA Cybersecurity Advisory: #StopRansomware: Rhysida Ransomware

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-319a

Microsoft Threat Intelligence: Rhysida Ransomware

https://www.microsoft.com/en-us/security/blog/threat-intelligence/

Health Sector Cybersecurity Coordination Center (HC3): Rhysida Ransomware Threat Profile

https://www.hhs.gov/sites/default/files/rhysida-ransomware-analyst-note.pdf

Cisco Talos: Rhysida Ransomware Analysis

https://blog.talosintelligence.com/rhysida-ransomware/

MITRE ATT&CK: Rhysida Software

https://attack.mitre.org/software/S1073/

Cybereason: Rhysida Ransomware: A Comprehensive Technical Analysis

https://www.cybereason.com/blog/threat-analysis-rhysida-ransomware

FBI Flash: Rhysida Ransomware

https://www.ic3.gov/Media/News/2023/231115.pdf

CheckPoint Research: Rhysida Ransomware: In-Depth Analysis

https://research.checkpoint.com/2023/rhysida-ransomware-in-depth-analysis/

FBI Flash Report: Rhysida Ransomware

https://www.ic3.gov/Media/News/2023/231120.pdf

Analysis of Rhysida Ransomware

https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html

Rhysida Ransomware Group Profile 2026 Analysis - Ransom-DB

https://www.ransom-db.com/blog/rhysida-ransomware-group-profile-2026-analysis

Rhysida Ransomware: Recent U.S. Breaches And Mitigation - BlackFog (December 2025)

https://www.blackfog.com/rhysida-ransomware-us-breaches-and-mitigation/

RHYSIDA Ransomware Strikes Again - Breached.Company (February 2026)

https://breached.company/rhysida-ransomware-strikes-again-leading-edge-speciali-added-to-leak-site-as-groups-relentless-campaign-continues/

Certified OysterLoader: Tracking Rhysida via Code-Signing Certificates - Expel (December 2025)

https://expel.com/blog/certified-oysterloader-tracking-rhysida-ransomware-gang-activity-via-code-signing-certificates/

Outmaneuvering Rhysida - Recorded Future (October 2024)

https://www.recordedfuture.com/research/outmaneuvering-rhysida-advanced-threat-intelligence-shields-critical-infrastructure-ransomware

Rhysida Ransomware Evasion Tactics - At-Bay (November 2025)

https://www.at-bay.com/threat-research/rhysida-evading-detection/

Gootloader Threat Detection - Huntress (November 2025)

https://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation

Rhysida Ransomware: Tracking the Emergence and Evolution of a New Threat

https://www.fortinet.com/blog/threat-research/rhysida-ransomware-tracking-emergence-evolution-new-threat

Rhysida Ransomware Deep Dive

https://www.zscaler.com/blogs/security-research/rhysida-ransomware-deep-dive

Microsoft Trusted Signing Abuse by Rhysida Group

https://www.bleepingcomputer.com/news/security/microsoft-revokes-200-certificates-abused-by-rhysida-ransomware-gang/

Rhysida Ransomware Threat Profile

https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-rhysida

The Rhysida Ransomware Activity Analysis

https://www.sentinelone.com/labs/rhysida-ransomware-a-threat-actor-profile/

Rhysida Ransomware: Threats, Tactics, and Defense Strategies

https://www.sentinelone.com/blog/rhysida-ransomware-threats-tactics-and-defense-strategies/

Rhysida Ransomware: Analysis and Protection Guidance

https://www.trendmicro.com/en_us/research/23/k/rhysida-ransomware-actors-suspected-of-attacking-the-british-lib.html

Rhysida Ransomware: Analyzing the Threat and Its Tactics

https://www.trendmicro.com/en_us/research/23/k/rhysida-ransomware-analyzing-the-threat-and-its-tactics.html

Rhysida Ransomware Group Emerges as Major Threat in 2024

https://www.checkpoint.com/cyber-hub/threat-prevention/ransomware/rhysida-ransomware/