Rhysida is a ransomware-as-a-service (RAAS) group that emerged in May 2023. The group utilizes a namesake ransomware through phishing attacks and Cobalt Strike to breach the targets' networks and deploy their payloads. The group threatens to publicly distribute exfiltrated data if the ransom is not paid, and it's worth mentioning that Rhysida is still in the early stages of development. The ransomware leaves PDF notes in the affected folders, instructing victims to contact the group through its portal, and payment is made via Bitcoin. After encryption, the ransomware appends the extension '.ryshida' to encrypted files. Source: [enlace omitido]
Genera un perfil del actor con IA (defensivo) cuando lo pidas.
Para detección/bloqueo en tu EDR/SIEM. Fuente: ransomware.live.
Firma de detección defensiva para este grupo (úsala en tu EDR/SIEM). Fuente: ransomware.live.
rule Rhysida_Ransom {
meta:
author= "Ali Can Gönüllü"
filetype= "Win64 exe"
description= "Rhysida 0.1 Ransomware"
strings:
$ver= {52 68 79 73 69 64 61 2D 30 2E 31}
$str1= {43 72 69 74 69 63 61 6C 42 72 65 61 63 68 44 65 74 65 63 74 65 64 2E 70 64 66}
$str2= {43 3A 2F 55 73 65 72 73 2F 50 75 62 6C 69 63 2F 62 67 2E 6A 70 67}
$str3= {72 68 79 73 69 64 61 66 6F 68 72 68 79 79 32 61 73 7A 69 37 62 6D 33 32 74 6E 6A 61 74 35 78 72 69 36 35 66 6F 70 63 78 6B 64 66 78 68 69 34 74 69 64 73 67 37 63 61 64 2E 6F 6E 69 6F 6E}
$str4= {63 68 61 63 68 61 32 30}
$cmd1= {63 6D 64 2E 65 78 65 20 2F 63 20 72 65 67 20 64 65 6C 65 74 65 20 22 48 4B 43 55 5C 43 6F 6E 74 ?? 6F 6C 20 50 61 6E 65 6C 5C 44 65 73 6B 74 6F 70 22 20 2F 76 20 57 61 6C 6C 70 61 70 65 72 20 2F 66}
$cmd2= {63 6D 64 2E 65 78 65 20 2F 63 20 72 65 67 20 64 65 6C 65 74 65 20 22 48 4B 43 55 5C 43 6F 6E 74 ?? 6F 6C 20 50 61 6E 65 6C 5C 44 65 73 6B 74 6F 70 22 20 2F 76 20 57 61 6C 6C 70 61 70 65 72 53 74 79 6C 65 20 2F 66}
$cmd2= {63 6D 64 2E 65 78 65 20 2F 63 20 72 65 67 20 61 64 64 20 22 48 4B 43 55 5C 53 6F 66 74 77 61 72 65 5C 4D 69 63 72 6F 73 6F 66 74 5C 57 69 6E 64 6F 77 73 5C 43 75 72 72 65 6E 74 56 65 72 73 69 6F 6E 5C 50 6F 6C 69 63 69 65 73 5C 41 63 74 69 76 65 44 65 73 6B 74 6F 70 22 20 2F 76 20 4E 6F 43 68 61 6E 67 69 6E 67 57 61 6C 6C 50 61 70 65 72 20 2F 74 20 52 45 47 5F 53 5A 20 2F 64 20 31 20 2F 66}
$cmd3= {63 6D 64 2E 65 78 65 20 2F 63 20 72 65 67 20 61 64 64 20 22 48 4B 43 55 5C 43 6F 6E 74 72 6F 6C 20 50 61 6E 65 6C 5C 44 65 73 6B 74 6F 70 22 20 2F 76 20 57 61 6C 6C 70 61 70 65 72 20 2F 74 20 52 45 47 5F 53 5A 20 2F 64 20 22 43 3A 5C 55 73 65 72 73 5C 50 75 62 6C 69 63 5C 62 67 2E 6A 70 67 22 20 2F 66}
$cmd4= {63 6D 64 2E 65 78 65 20 2F 63 20 72 65 67 20 61 64 64 20 22 48 4B 4C 4D 5C 53 6F 66 74 77 61 72 65 5C 4D 69 63 72 6F 73 6F 66 74 5C 57 69 6E 64 6F 77 73 5C 43 75 72 72 65 6E 74 56 65 72 73 69 6F 6E 5C 50 6F 6C 69 63 69 65 73 5C 53 79 73 74 65 6D 22 20 2F 76 20 57 61 6C 6C 70 61 70 65 72 20 2F 74 20 52 45 47 5F 53 5A 20 2F 64 20 22 43 3A 5C 55 73 65 72 73 5C 50 75 62 6C 69 63 5C 62 67 2E 6A 70 67 22 20 2F 66}
condition:
uint16(0) == 0x5A4D and
(
$ver and
4 of ($str*) and
4 of ($cmd*)
)
}
rule Rhysida_Ransomware{
meta:
author= "Venus Chhantel"
filetype= "Win64 exe"
description= "Detecting Rhysida 0.1 Ransomware"
strings:
$version= {52 68 79 73 69 64 61 2D 30 2E 31}
$string1= {43 72 69 74 69 63 61 6C 42 72 65 61 63 68 44 65 74 65 63 74 65 64 2E 70 64 66}
$string2= {43 3A 2F 55 73 65 72 73 2F 50 75 62 6C 69 63 2F 62 67 2E 6A 70 67}
$string3= {72 68 79 73 69 64 61 66 6F 68 72 68 79 79 32 61 73 7A 69 37 62 6D 33 32 74 6E 6A 61 74 35 78 72 69 36 35 66 6F 70 63 78 6B 64 66 78 68 69 34 74 69 64 73 67 37 63 61 64 2E 6F 6E 69 6F 6E}
$string4= {63 68 61 63 68 61 32 30}
$string5= {49 6D 6D 65 64 69 61 74 65 20 52 65 73 70 6F 6E 73 65 20 52 65 71 75 69 72 65 64}
$string6= {54 68 69 73 20 69 73 20 61 6E 20 61 75 74 6F 6D 61 74 65 64 20 61 6C 65 72 74 20 66 72 6F 6D 20 63 79 62 65 72 73 65 63 75 72 69 74 79 20 74 65 61 6D 20 52 68 79 73 69 64 61}
$cmd1= {63 6D 64 2E 65 78 65 20 2F 63 20 72 65 67 20 64 65 6C 65 74 65 20 22 48 4B 43 55 5C 43 6F 6E 74 ?? 6F 6C 20 50 61 6E 65 6C 5C 44 65 73 6B 74 6F 70 22 20 2F 76 20 57 61 6C 6C 70 61 70 65 72 20 2F 66}
$cmd2= {63 6D 64 2E 65 78 65 20 2F 63 20 72 65 67 20 64 65 6C 65 74 65 20 22 48 4B 43 55 5C 43 6F 6E 74 ?? 6F 6C 20 50 61 6E 65 6C 5C 44 65 73 6B 74 6F 70 22 20 2F 76 20 57 61 6C 6C 70 61 70 65 72 53 74 79 6C 65 20 2F 66}
$cmd3= {63 6D 64 2E 65 78 65 20 2F 63 20 72 65 67 20 61 64 64 20 22 48 4B 43 55 5C 53 6F 66 74 77 61 72 65 5C 4D 69 63 72 6F 73 6F 66 74 5C 57 69 6E 64 6F 77 73 5C 43 75 72 72 65 6E 74 56 65 72 73 69 6F 6E 5C 50 6F 6C 69 63 69 65 73 5C 41 63 74 69 76 65 44 65 73 6B 74 6F 70 22 20 2F 76 20 4E 6F 43 68 61 6E 67 69 6E 67 57 61 6C 6C 50 61 70 65 72 20 2F 74 20 52 45 47 5F 53 5A 20 2F 64 20 31 20 2F 66}
$cmd4= {63 6D 64 2E 65 78 65 20 2F 63 20 72 65 67 20 61 64 64 20 22 48 4B 43 55 5C 43 6F 6E 74 72 6F 6C 20 50 61 6E 65 6C 5C 44 65 73 6B 74 6F 70 22 20 2F 76 20 57 61 6C 6C 70 61 70 65 72 20 2F 74 20 52 45 47 5F 53 5A 20 2F 64 20 22 43 3A 5C 55 73 65 72 73 5C 50 75 62 6C 69 63 5C 62 67 2E 6A 70 67 22 20 2F 66}
$cmd5= {63 6D 64 2E 65 78 65 20 2F 63 20 72 65 67 20 61 64 64 20 22 48 4B 4C 4D 5C 53 6F 66 74 77 61 72 65 5C 4D 69 63 72 6F 73 6F 66 74 5C 57 69 6E 64 6F 77 73 5C 43 75 72 72 65 6E 74 56 65 72 73 69 6F 6E 5C 50 6F 6C 69 63 69 65 73 5C 53 79 73 74 65 6D 22 20 2F 76 20 57 61 6C 6C 70 61 70 65 72 20 2F 74 20 52 45 47 5F 53 5A 20 2F 64 20 22 43 3A 5C 55 73 65 72 73 5C 50 75 62 6C 69 63 5C 62 67 2E 6A 70 67 22 20 2F 66}
$cmd6= {63 6D 64 2E 65 78 65 20 2F 63 20 72 65 67 20 61 64 64 20 22 48 4B 4C 4D 5C 53 6F 66 74 77 61 72 65 5C 4D 69 63 72 6F 73 6F 66 74 5C 57 69 6E 64 6F 77 73 5C 43 75 72 72 65 6E 74 56 65 72 73 69 6F 6E 5C 50 6F 6C 69 63 69 65 73 5C 53 79 73 74 65 6D 22 20 2F 76 20 57 61 6C 6C 70 61 70 65 72 53 74 79 6C 65 20 2F 74 20 52 45 47 5F 53 5A 20 2F 64 20 32 20 2F 66}
$cmd7= {63 6D 64 2E 65 78 65 20 2F 63 20 72 65 67 20 61 64 64 20 22 48 4B 43 55 5C 43 6F 6E 74 72 6F 6C 20 50 61 6E 65 6C 5C 44 65 73 6B 74 6F 70 22 20 2F 76 20 57 61 6C 6C 70 61 70 65 72 53 74 79 6C 65 20 2F 74 20 52 45 47 5F 53 5A 20 2F 64 20 32 20 2F 66}
$cmd8= {72 75 6E 64 6C 6C 33 32 2E 65 78 65 20 75 73 65 72 33 32 2E 64 6C 6C 2C 55 70 64 61 74 65 50 65 72 55 73 65 72 53 79 73 74 65 6D 50 61 72 61 6D 65 74 65 72 73}
$cmd9= {63 6D 64 2E 65 78 65 20 2F 63 20 73 74 61 72 74 20 70 6F 77 65 72 73 68 65 6C 6C 2E 65 78 65 20 2D 57 69 6E 64 6F 77 53 74 79 6C 65 20 48 69 64 64 65 6E 20 2D 43 6F 6D 6D 61 6E 64 20 53 6C 65 65 70 20 2D 4D 69 6C 6C 69 73 65 63 6F 6E 64 73 20 ?? ?? ?? 3B}
$cmd10= {52 65 6D 6F 76 65 2D 49 74 65 6D 20 2D 46 6F 72 63 65 20 2D 50 61 74 68 20 22}
$cmd11= {22 20 2D 45 72 72 6F 72 41 63 74 69 6F 6E 20 53 69 6C 65 6E 74 6C 79 43 6F 6E 74 69 6E 75 65 3B}
condition:
uint16(0) == 0x5A4D and
(
$version and
4 of ($string*) and
5 of ($cmd*)
)
}
rule RhysidaRansomware {
meta:
description = "rule to detect Rhysida Ransomware"
author = "ShadowStackRe.com"
date = "2023-12-12"
Rule_Version = "v1"
malware_type = "ransomware"
malware_family = "Rhysida"
License = "MIT License, https://opensource.org/license/mit/"
strings:
$strShadowCopy = " vssadmin.exe Delete Shadows"
$strRhsyida01 = "Rhysida-0.1"
$strRhysida = "rhysida"
$strRegKey1 = "cmd.exe /c reg delete \"HKCU\\Contol Panel\\Desktop"
$strRegKey2 = "Policies\\ActiveDesktop\" /v NoChangingWallPaper"
$strRunDll32 = "rundll32.exe user32.dll,UpdatePerUserSystemParameters"
$strPDF = "CriticalBreachDetected.pdf"
condition:
all of them
}Critical Breach Detected - Immediate Response Required Dear company, This is an automated alert from cybersecurity team Rhysida. An unfortunate situation has arisen - your digital ecosystem has been compromised, and a substantial amount of confidential data has been exfiltrated from your network. The potential ramifications of this could be dire, including the sale, publication, or distribution of your data to competitors or media outlets. This could inflict significant reputational and financial damage. However, this situation is not without a remedy. Our team has developed a unique key, specifically designed to restore your digital security. This key represents the first and most crucial step in recovering from this situation. To utilize this key, visit our secure portal: [redactado] with your secret key [snip] It's vital to note that any attempts to decrypt the encrypted files independently could lead to permanent data loss. We strongly advise against such actions. Time is a critical factor in mitigating the impact of this breach. With each passing moment, the potential damage escalates. Your immediate action and full cooperation are required to navigate this scenario effectively. Rest assured, our team is committed to guiding you through this process. The journey to resolution begins with the use of the unique key. Together, we can restore the security of your digital environment. Best regards
Carrera Chevrolet
Termolar Termolar is the largest manufacturer of thermal conservation products in Latin America.
| Organización | País | Sector | Grupo | Descubierta |
|---|---|---|---|---|
| Carrera Chevrolet | BR | Manufacturing | — | 26 may 2025 |
| Termolar | BR | Manufacturing | — | 18 may 2025 |
| Sao Camilo Cachoeiro de Itapemirim | BR | Education | — | 14 may 2025 |
| Government of Peru | PE | Public Sector | — | 1 may 2025 |
| Milicic | AR | Construction | — | 23 abr 2025 |
| Law Offices of the Public Defender - New Mexico | MX | Public Sector | — | 19 jul 2024 |
| Unimed Vales do Taquari e Rio Pardo | BR | Healthcare | — | 8 may 2024 |
| Lopez Hnos | AR | Agriculture and Food Production | — | 2 may 2024 |
| Ministerio de Desarrollo Local | SV | Public Sector | — | 23 abr 2024 |
| El Debate | MX | Consumer Services | — | 26 mar 2024 |
| CNPC Peru S.A. | PE | Energy | — | 1 feb 2024 |
| General Directorate of Migration of the Dominican Republic | DO | Public Sector | — | 4 oct 2023 |
| Federal University of Mato Grosso do Sul | BR | Education | — | 2 oct 2023 |
| National Institute of Social Services for Retirees and Pensioners | AR | Public Sector | — | 12 ago 2023 |
| Ejercito de Chile | CL | Public Sector | — | 10 jun 2023 |
Las direcciones de los sitios de filtración (.onion) se conocen pero no se publican ni se enlazan. Solo se muestran metadatos públicos. ética
Sao Camilo Cachoeiro de Itapemirim The Sao Camilo Espirito Santo Educational Center was founded in 1969, under the name Instituto Cachoeirense de Ensino, in the city of Cachoeiro de Itapemirim, ES. More
Government of Peru Gob.pe is defined as the Single Digital Platform of the Peruvian State.
Milicic We are an Argentine construction and services company with 50 years of experience in large-scale projects that have supported the development of key productive sectors. More
Law Offices of the Public Defender - New Mexico As the state's largest law firm, we represent low-income people facing criminal charges in New Mexico.