Operator dossier

Rhysida is a ransomware operator currently active on public leak sites. Darkfield has indexed 278 public victims claimed by this operator between June 5, 2023 and May 20, 2026. Rhysida is a ransomware group that emerged in June 2023, operating with primarily financial motivations through targeted attacks against critical infrastructure and public sector organizations. The group's origin and potential state affiliations remain unclear, though they operate independently rather than as a traditional Ransomware-as-a-Service model, with limited public documentation regarding connections to other cybercriminal organizations. Rhysida employs double extortion tactics, typically gaining initial access through compromised VPN credentials and exploiting vulnerable public-facing applications before deploying their ransomware payload and exfiltrating sensitive data prior to encryption. The group has demonstrated a particular focus on healthcare and educational institutions, with notable attacks documented by CISA and FBI advisories highlighting their targeting of hospitals and school districts across multiple countries, resulting in significant operational disruptions to critical services. As of late 2024, Rhysida remains an active threat with continued operations targeting organizations primarily in the United States, Canada, and other Western nations, maintaining their focus on high-value sectors where operational disruption can maximize ransom payment likelihood.

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

← All groups

Rhysida

278 victims indexed · first seen 3 years ago · last activity 23 hours ago

278

Victims indexed

#31 of 348 tracked operators

2y 11m

Active period

Jun 2023 → May 2026

Countries hit

top United States · 107

At a glance

Status: active
First seen: 3 years ago
Last activity: 23 hours ago
Onion sites: 5 known endpoints
Primary sector: Healthcare · 42 hits

About

Rhysida is a ransomware group that emerged in June 2023, operating with primarily financial motivations through targeted attacks against critical infrastructure and public sector organizations. The group's origin and potential state affiliations remain unclear, though they operate independently rather than as a traditional Ransomware-as-a-Service model, with limited public documentation regarding connections to other cybercriminal organizations. Rhysida employs double extortion tactics, typically gaining initial access through compromised VPN credentials and exploiting vulnerable public-facing applications before deploying their ransomware payload and exfiltrating sensitive data prior to encryption. The group has demonstrated a particular focus on healthcare and educational institutions, with notable attacks documented by CISA and FBI advisories highlighting their targeting of hospitals and school districts across multiple countries, resulting in significant operational disruptions to critical services. As of late 2024, Rhysida remains an active threat with continued operations targeting organizations primarily in the United States, Canada, and other Western nations, maintaining their focus on high-value sectors where operational disruption can maximize ransom payment likelihood.

References

3 links

External sources curated by the MISP threat-intel community.

Timeline

24 months

2024-04-01T00:00:00+00:002026-03-01T00:00:00+00:00

Top countries

🇺🇸 United States

107

🇨🇦 Canada

🇮🇹 Italy

🇬🇧 United Kingdom

🇦🇺 Australia

🇩🇪 Germany

🇨🇭 Switzerland

🇧🇷 Brazil

United States dossier →Canada dossier →Italy dossier →United Kingdom dossier →

Top sectors

Healthcare

Not Found

Education

Government

Business Services

Manufacturing

Public Sector

Technology

Healthcare dossier →Not Found dossier →Education dossier →Government dossier →

MITRE ATT&CK

11 techniques · 10 tactics

Tactics

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessLateral MovementCollectionExfiltrationImpact

Techniques

T1566Phishing
T1190Exploit Public-Facing Application
T1059Command and Scripting Interpreter
T1543Create or Modify System Process
T1055Process Injection
T1027Obfuscated Files or Information
T1003OS Credential Dumping
T1021Remote Services
T1005Data from Local System
T1041Exfiltration Over C2 Channel
T1486Data Encrypted for Impact

Detection · YARA rules

1 rule

Rhysida_Ransomware
Detects Rhysida ransomware
source: CISA AA23-319A

Recent victims

Loading…

Onion infrastructure

5 known

http://rhysidafc6lm7qa2mkiukbezh7zuth3i4wof4mh2audkymscjm6yegad.onion
http://rhysidafc6lm7qa2mkiukbezh7zuth3i4wof4mh2audkymscjm6yegad.onion/
http://rhysidafc6lm7qa2mkiukbezh7zuth3i4wof4mh2audkymscjm6yegad.onion/archive.php?last&auction
http://rhysidafohrhyy2aszi7bm32tnjat5xri65fopcxkdfxhi4tidsg7cad.onion
http://rhysidafohrhyy2aszi7bm32tnjat5xri65fopcxkdfxhi4tidsg7cad.onion/archive.php

Source

Updated 23 hours ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.