Skip to content


In May 2023, a new Ransomware-as-a-Service (RaaS) group named Rhysida emerged. This group uses phishing and hacking tools to deploy a Windows ransomware application, also called Rhysida, to breach the target networks and distribute a malicious payload to encrypt data. Following typical ransomware trends, they threaten to expose stolen data unless a ransom is paid publicly. The Rhysida ransomware, denoted as Rhysida-0.1, is in its early development stages, as evidenced by its naming convention and basic functionalities. The group also operates a dark web portal, where they label themselves a “cyber security team”. This platform showcases ongoing auctions of stolen data and the number of affected victims.

How does it spread?

Rhysida employs a well-crafted and intricate strategy for propagating its ransomware payload. Rhysida leverages many methods, most notably phishing emails, to manipulate unsuspecting individuals into downloading or interacting with the malicious ransomware software. At a closer look, the Rhysida ransomware, currently identified as Rhysida-0.1, utilises a formidable combination of a 4096-bit RSA key and the ChaCha20 encryption algorithm. This encryption mechanism is employed to lock victims’ data.

A distinct feature of Rhysida’s approach is including a ransom note in PDF format. This choice hints at a strategic targeting of systems capable of handling document-based formats, potentially excluding those reliant on command-line operating systems prevalent in network devices and servers. Once the ransomware is executed and the victim’s data is encrypted, this PDF ransom note is presented, providing detailed instructions on establishing contact with the ransomware operators for payment, typically in the form of cryptocurrency like Bitcoin.

Figure 1 – Logo used by Rhysida Group

How to stay safe?

  • Update/Patch Systems – This can help prevent exploits if you accidentally click on a phishing link or download a malicious file.
  • Phishing Awareness Training – Regular training in recognising and evading phishing attempts is crucial for employees to defend against the primary method of delivery used by Rhysida.
  • Endpoint Security Solutions – Employ security tools offered by reputable companies like Sophos and Palo Alto Networks to constantly monitor network entry points, scrutinise incoming data, and potentially intercept and halt malicious software. These tools may also provide the ability to remotely isolate and remove data, effectively curbing the spread of ransomware within the network.
  • Immutable Backups – Safeguard against potential ransomware infection by implementing immutable backups— these are backups that cannot be edited or deleted, making them more resilient towards encryption and enabling efficient data restoration.
  • Network Segmentation – Restrict the impact of ransomware by dividing the network into segments, minimising its spread in case one section of the network is infected.
  • Firewalls/Intrusion Detection Systems – Strengthen defences through firewalls and intrusion detection systems. These can detect and block suspicious activities, potentially preventing infection.
  • Incident Response Plan – An incident response plan ensures swift and effective action in the event of a ransomware attack, mitigating potential harm and minimising disruptions.
  • Least Privilege Principle – Keep access rights of users and applications to the bare minimum. This approach obstructs ransomware from acquiring the permissions necessary for file encryption or network-wide infection.


Currently, Rhysida has impacted a range of countries. However, there is a concentration of confirmed cases in the UK, which stands as the second-highest affected country. In addition, the educational sector is the most prominently hit by the ransomware group. Researchers have even theorised a possible connection between Rhysida and Vice Society, another cybercrime group that conducts similar campaigns. Both groups share an interest in targeting educational institutions and have prompted further concerns that Rhysida might expand its focus to include the healthcare sector, which would further align with Vice Society’s scope.