Introduction
This object represents the behaviors associated with operators of Rhysida ransomware, which is licensed on a ransomware-as-a-service (“RaaS”) basis. Various affiliated ransomware operators likely do not operate as a cohesive unit. The Rhysida RaaS operation has been active since May 2023, claiming attacks on multiple sectors in several countries in North and South America, Western Europe, and Australia. Many alleged victims are education sector entities. Security researchers have observed TTP and victimology overlaps with the Vice Society extortion group.[HC3 Analyst Note Rhysida Ransomware August 2023] Related Vulnerabilities: CVE-2020-1472[U.S. CISA Rhysida Ransomware November 15 2023]
Activities and Tactics
Information pending cataloguing.
Notable Campaigns
Information pending cataloguing.
Tactics, Techniques, and Procedures (TTPs)
Information pending cataloguing.
Notable Indicators of Compromise (IOCs)
No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.
Malware and Tools
- Archelaus Beta:
Attribution and Evidence
Information pending cataloguing.
References
[1] [HC3 Analyst Note Rhysida Ransomware August 2023 [2] [U.S. CISA Rhysida Ransomware November 15 2023