Rhysida — Ransomware Threat Analysis & Defender Playbook Prepared by CyberDudeBivash Threat Intelligence

Executive summary

Rhysida is a ransomware operation active since early-2023, assessed to operate in a RaaS-style model and to hit “targets of opportunity” across education, healthcare, manufacturing, IT, and government. Multiple agencies note overlaps between Rhysida activity and Vice Society tradecraft. Recent updates highlight cloud-adjacent exfil paths (e.g., Azure Blob via AZCopy/Storage Explorer), heavy living-off-the-land (PowerShell/RDP/VPN), and a PDF ransom note named CriticalBreachDetected. CISA+2CISA+2

High-profile impacts include the British Library (months-long outage, ~600 GB leak) and Insomniac Games (~1.7 TB leak after non-payment), demonstrating Rhysida’s pressure-first, leak-later playbook. Wikipedia The New Yorker Axios

Technical TTPs (MITRE ATT&CK, defender-focused)

Initial access — TA0001

Valid accounts into VPNs where MFA isn’t enforced by default; more recently, Gootloader has been observed for initial access in some cases. CISA

Living off the land (LOTL) & discovery — TA0007/TA0008

Native tools and commands: RDP (mstsc.exe), PowerShell, ipconfig, whoami, nltest, and net * enumeration for users, groups, and domain info. CISA

Tools commonly leveraged

PsExec for remote execution, PuTTY/SSH for lateral access, AnyDesk for persistence/remote control. 2025 campaigns add AZCopy and StorageExplorer for cloud data movement. CISA

Execution, encryption & cleanup — TA0002 / TA0040

Encryptor modifies files and displays a .rhysida extension; invokes PowerShell to self-delete and clears event logs to hinder forensics. CISA

Data theft & extortion — TA0010 / T1657

Double extortion with Bitcoin payments routed via TOR portal; PDF ransom note CriticalBreachDetected includes a unique company code and instructions. CISA

Notable operations & impact (context to brief execs)

British Library (Oct 2023): Rhysida demanded ~£600k BTC; after refusal, ~600 GB leaked. Recovery cost pegged in the multi-million range with service disruption for months. Wikipedia The Times
Insomniac Games (Dec 2023): ~1.67 TB of data leaked (projects, personal data) after non-payment—illustrates Rhysida’s willingness to fully publish crown-jewel IP. Axios

Artifacts, IOCs & “hunt right now” cues (behavior > hashes)

Ransom note & markers: PDF CriticalBreachDetected; many campaigns show .rhysida extensions. CISA
Cloud exfil indicators: sudden use of AZCopy and StorageExplorer-windows-x64.exe; outbound to Azure Blob endpoints. CISA
Rhysida infra crumbs: actor emails on onionmail[.]org and URIs/domains listed in the latest joint advisory; watch for C:\in, C:\out, and C:\out\PSTools.zip\ on staging hosts. CISA
Windows tamper: extensive event-log clearing (e.g., via wevtutil) preceding encryption; LOTL with mstsc.exe, PsExec.exe, PowerShell ISE executing scripts from %AppData%\Local\Temp%. CISA

Treat file hashes as ephemeral; bias detections toward process sequences, command-lines, and network destinations.

Detection engineering (quick wins)

Identity/edge

Alert when VPN logins occur without MFA or from rare geos/ASNs, especially on admin accounts. CISA

Endpoint / EDR

Chain analytics: PowerShell or cmd spawning PsExec → share enumeration → log clears → mass writes/renames → creation of CriticalBreachDetected.pdf. CISA+1
Add detections for AZCopy/StorageExplorer executions on non-developer servers, and for AnyDesk installs/first use. CISA

Network

New Azure Blob destinations, TOR bootstrap attempts from servers, and unusual SMB/RDP bursts between peer servers. CISA

Mitigation priorities (that actually reduce risk)

MFA everywhere (prefer phishing-resistant FIDO2/WebAuthn), with explicit checks on VPN/webmail/admin access. CISA
Harden PowerShell: latest PowerShell/PowerShell Core only; restrict usage by role; enable script block + transcription logging and forward to a SIEM (≥180-day retention). CISA
Reduce LOTL surface: disable unneeded RDP, enforce just-enough-admin, and segment networks to curb lateral spread. CISA
Cloud egress controls: monitor/block unsanctioned Azure Blob transfers; DLP on mass archive creation; restrict PsExec/RMM tooling. CISA
Backups & recovery: maintain offline/immutable backups and test restores; assume leak risk regardless of decryption outcomes. (Agency guidance stresses resilience + segmentation.) CISA

Rapid response playbook (print-ready)

Contain — disable suspicious VPN sessions; isolate staging hosts; block TOR and cloud-storage egress (temporary).
Preserve — snapshot VMs; collect VPN/AD/EDR/PowerShell logs; preserve firewall/proxy and Azure egress telemetry.
Hunt — look for AZCopy/StorageExplorer, AnyDesk, PsExec, wevtutil log clears, RDP bursts, and CriticalBreachDetected.pdf drops. CISA+1
Eradicate — rotate creds; remove persistence (new admins/services/scheduled tasks); patch exposed services; tighten VPN policies (MFA enforced).
Recover — restore from clean, immutable backups on segmented VLANs; validate with canary files; throttle egress until environment is clean.
Notify — regulators & law enforcement; watch for leak-site posts and prepare comms accordingly. CISA

Sources & further reading

CISA/FBI/MS-ISAC #StopRansomware: Rhysida — updated Apr 30, 2025 with new IOCs, .rhysida extension, note name, LOTL/tools, and mitigations. CISA+4CISA+4CISA+4
HHS HC3 Sector Alert (Aug 2023) — early profile and health-sector focus. HHS.gov
Recorded Future (Oct 2024) — infrastructure tiers & pre-extortion detection windows. Recorded Future Recorded Future
British Library incident analyses & updates (2023–2024) — impact and recovery timeline. Wikipedia British Library
Insomniac Games leak (Dec 2023) — scale and consequences. Axios

CTA (CyberDudeBivash services)

Need a 2-hour tabletop or Rhysida-mapped detection pack for your SIEM/XDR (including AZCopy/StorageExplorer rules and PowerShell telemetry hardening)? We’ll ship a tailored set.

#CyberDudeBivash #Rhysida #Ransomware #RaaS #DoubleExtortion #AzureBlob #PowerShell #MFA #MITREATTACK #DFIR #XDR #ThreatIntel

Cyberdudebivash