Skip to main content

Operator dossier

Rhysida is a ransomware operator currently active on public leak sites. Darkfield has indexed 282 public victims claimed by this operator between June 5, 2023 and June 18, 2026. Rhysida is a ransomware group that emerged in June 2023, operating with primarily financial motivations through targeted attacks against critical infrastructure and public sector organizations. The group's origin and potential state affiliations remain unclear, though they operate independently rather than as a traditional Ransomware-as-a-Service model, with limited public documentation regarding connections to other cybercriminal organizations. Rhysida employs double extortion tactics, typically gaining initial access through compromised VPN credentials and exploiting vulnerable public-facing applications before deploying their ransomware payload and exfiltrating sensitive data prior to encryption. The group has demonstrated a particular focus on healthcare and educational institutions, with notable attacks documented by CISA and FBI advisories highlighting their targeting of hospitals and school districts across multiple countries, resulting in significant operational disruptions to critical services. As of late 2024, Rhysida remains an active threat with continued operations targeting organizations primarily in the United States, Canada, and other Western nations, maintaining their focus on high-value sectors where operational disruption can maximize ransom payment likelihood.

Most-targeted sectors

Most-affected countries

Recent disclosures by Rhysida

Most recent 150 of 282 indexed disclosures. Click any row for the full per-victim dossier.

See every disclosure indexed for Rhysida

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

All groups

Rhysida

282 victims indexed · first seen 3 years ago · last activity 27 days ago

282
Victims indexed
#31 of 364 tracked operators
3y 0m
Active period
Jun 2023 → Jun 2026
30
Countries hit
top United States · 142

At a glance

Status
active
First seen
3 years ago
Last activity
27 days ago
Onion sites
5 known endpoints
Primary sector
Healthcare · 47 hits

About

Rhysida is a ransomware group that emerged in June 2023, operating with primarily financial motivations through targeted attacks against critical infrastructure and public sector organizations. The group's origin and potential state affiliations remain unclear, though they operate independently rather than as a traditional Ransomware-as-a-Service model, with limited public documentation regarding connections to other cybercriminal organizations. Rhysida employs double extortion tactics, typically gaining initial access through compromised VPN credentials and exploiting vulnerable public-facing applications before deploying their ransomware payload and exfiltrating sensitive data prior to encryption. The group has demonstrated a particular focus on healthcare and educational institutions, with notable attacks documented by CISA and FBI advisories highlighting their targeting of hospitals and school districts across multiple countries, resulting in significant operational disruptions to critical services. As of late 2024, Rhysida remains an active threat with continued operations targeting organizations primarily in the United States, Canada, and other Western nations, maintaining their focus on high-value sectors where operational disruption can maximize ransom payment likelihood.

References

3 links

External sources curated by the MISP threat-intel community.

Timeline

24 months
2024-07-01T00:00:00+00:00 · 112024-08-01T00:00:00+00:00 · 182024-09-01T00:00:00+00:00 · 102024-10-01T00:00:00+00:00 · 62024-11-01T00:00:00+00:00 · 72024-12-01T00:00:00+00:00 · 52025-01-01T00:00:00+00:00 · 82025-02-01T00:00:00+00:00 · 82025-03-01T00:00:00+00:00 · 82025-04-01T00:00:00+00:00 · 92025-05-01T00:00:00+00:00 · 92025-06-01T00:00:00+00:00 · 42025-07-01T00:00:00+00:00 · 32025-08-01T00:00:00+00:00 · 62025-09-01T00:00:00+00:00 · 42025-10-01T00:00:00+00:00 · 132025-11-01T00:00:00+00:00 · 112025-12-01T00:00:00+00:00 · 112026-01-01T00:00:00+00:00 · 42026-02-01T00:00:00+00:00 · 62026-03-01T00:00:00+00:00 · 12026-04-01T00:00:00+00:00 · 12026-05-01T00:00:00+00:00 · 82026-06-01T00:00:00+00:00 · 1
2024-07-01T00:00:00+00:002026-06-01T00:00:00+00:00

Top countries

🇺🇸 United States
142
🇨🇦 Canada
21
🇬🇧 United Kingdom
17
🇮🇹 Italy
10
🇩🇪 Germany
9
🇦🇺 Australia
8
🇨🇭 Switzerland
6
🇪🇸 Spain
4

Top sectors

Healthcare
47
Education
46
Government
31
Manufacturing
26
Business Services
21
Technology
14
Public Sector
11
Transportation/Logistics
8

MITRE ATT&CK

11 techniques · 10 tactics

Tactics

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessLateral MovementCollectionExfiltrationImpact

Techniques

  • T1566Phishing
  • T1190Exploit Public-Facing Application
  • T1059Command and Scripting Interpreter
  • T1543Create or Modify System Process
  • T1055Process Injection
  • T1027Obfuscated Files or Information
  • T1003OS Credential Dumping
  • T1021Remote Services
  • T1005Data from Local System
  • T1041Exfiltration Over C2 Channel
  • T1486Data Encrypted for Impact

Detection · YARA rules

1 rule
  • Rhysida_Ransomware

    Detects Rhysida ransomware

    source: CISA AA23-319A

Recent victims

Loading…

Onion infrastructure

5 known
  • http://rhysidafc6lm7qa2mkiukbezh7zuth3i4wof4mh2audkymscjm6yegad.onion
  • http://rhysidafc6lm7qa2mkiukbezh7zuth3i4wof4mh2audkymscjm6yegad.onion/
  • http://rhysidafc6lm7qa2mkiukbezh7zuth3i4wof4mh2audkymscjm6yegad.onion/archive.php?last&auction
  • http://rhysidafohrhyy2aszi7bm32tnjat5xri65fopcxkdfxhi4tidsg7cad.onion
  • http://rhysidafohrhyy2aszi7bm32tnjat5xri65fopcxkdfxhi4tidsg7cad.onion/archive.php

Source

Updated 27 days ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time Rhysida posts a victim.

Add Rhysida to your watchlist — Pro pings you within 5 minutes of any new Rhysida leak-site post, Telegram callout, or affiliate-rebrand inference.