Rhysida Ransomware: The Complete Guide

Rhysida ransomware is a relatively new ransomware group that was first observed in May 2023. The group positions itself as a “cybersecurity team” and claims to be doing their victims a favor by targeting their systems and highlighting potential security issues.

The ransomware is still in the early stages of development and lacks some features commonly found in present-day ransomware. However, it does threaten victims with the public distribution of exfiltrated data, aligning it with modern double extortion groups.

Rhysida ransomware primarily targets Windows systems and uses ChaCha20 for file encryption. It is a 64-bit Portable Executable (PE) Windows cryptographic ransomware application compiled using MinGW/GCC.

The group has been known to target organizations such as the Chilean Army, stealing and leaking sensitive documents.

SalvageData experts recommend proactive data security measures, such as regular backups, strong cybersecurity practices, and keeping software up to date, to protect against ransomware attacks. And, in case of a ransomware attack, contact our ransomware recovery experts immediately.

What kind of malware is Rhysida?

Rhysida is ransomware, which is a type of malware that encrypts and locks the victims’ files and then requests a ransom in exchange for the decryption key.

It is a 64-bit Portable Executable (PE) Windows cryptographic ransomware application compiled using MinGW/GCC. The group primarily uses phishing methods and RDP-based assaults to distribute the ransomware. Once the ransomware infects a system, it uses ChaCha20 encryption to encrypt files

Everything we know about Rhysida Ransomware

Confirmed Name

• Rhysida virus

Threat Type

• Ransomware
• Crypto Virus
• Files locker
• Double extortion

Encrypted Files Extension

• .rhysida

Ransom Demanding Message

• CriticalBreachDetected.pdf

Is There a Free Decryptor Available?

No, Rhysida ransomware does not have a decryptor

Detection Names

• Avast Win32:Dh-A [Heur]

• AVG Win32:Dh-A [Heur]

• Emsisoft Trojan.GenericKD.67412686 (B)

• Malwarebytes Malware.AI.4120503725

• Kaspersky Trojan-Ransom.Win32.Encoder.ucn

• Sophos Mal/Generic-S

• Microsoft Trojan:Win32/Leonem

Distribution methods

• Phishing emails
• Remote desktop protocol (RDP)

Consequences

• Files are encrypted and locked until the ransom payment
• Data leak
• Double extortion

What is in the Rhysida ransom note

The Rhysida ransom note takes an uncommon approach compared to other ransomware groups. In the ransom note, the attackers present themselves as a “cybersecurity team” offering aid to the victims by targeting their systems and highlighting potential security issues. The content of the ransom note is embedded in the binary in clear text and is written as a PDF document.

If you realize you’re a ransomware victim, contacting SalvageData ransomware removal experts provides you with a secure data recovery service and ransomware removal after an attack.

How does Rhysida ransomware infect a system

Rhysida ransomware primarily infects systems through phishing methods, which involve tricking users into clicking on malicious links or downloading infected files. The group also uses RDP-based assaults, which involve exploiting vulnerabilities in Remote Desktop Protocol (RDP) to gain access to systems. Once the ransomware infects a system, it uses ChaCha20 encryption to encrypt files.

• Phishing emails and social engineering. These are two common methods used by cybercriminals to obtain sensitive information from individuals or organizations. Phishing is a form of social engineering that uses email or malicious websites to solicit personal information by posing as a trustworthy organization. Phishing emails often contain a sense of urgency or fear to prompt the recipient to take immediate action. Social engineering attacks involve an attacker using human interaction to obtain or compromise information about an organization or its computer systems. Attackers may pose as new employees, repair persons, or researchers and even offer credentials to support that identity.

• Remote Desktop Protocol (RDP). This is a proprietary protocol developed by Microsoft Corporation that provides a user with a graphical interface to connect to another computer over a network connection. However, RDP is also a common target for cybercriminals who use brute force attacks to gain access to systems. Ransomware variants strategically target networks through unsecured RDP ports or by brute-forcing the password.

How does Rhysida ransomware work

Rhysida ransomware works by encrypting data on infected systems and demanding payment for its decryption. Here is a breakdown of how Rhysida ransomware operates:

Infection Methods

• Dissemination of infected files. Rhysida criminals distribute infected files that contain the ransomware payload.
• Malicious hyperlinks. Phishing campaigns are used to trick users into clicking on malicious links that lead to the download and execution of the ransomware.
• RDP-based assault. Rhysida ransomware takes advantage of vulnerabilities in Remote Desktop Protocol (RDP) to gain unauthorized access to systems.

Encryption

• Once the ransomware infects a system, it uses ChaCha20 encryption to encrypt the victim’s files.
• The encrypted files become inaccessible and cannot be opened or used without the decryption key.

Ransom Note

• Rhysida ransomware presents a ransom note to the victim, typically in the form of a PDF document.
• The ransom note may contain instructions on how to pay the ransom and other relevant information.

Payment and Decryption

• The attackers demand payment from the victim in exchange for the decryption key needed to unlock the encrypted files.
• Victims are often instructed to make the payment using cryptocurrencies such as Bitcoin to maintain anonymity.

Do not pay the ransom! Contacting a ransomware removal service can not only restore your files but also remove any potential threat.

How to handle a Rhysida ransomware attack

The first step to recovering from a Rhysida attack is to isolate the infected computer by disconnecting from the internet and removing any connected device. Then, you must contact local authorities. In the case of US residents and businesses, it is the local FBI field office and the Internet Crime Complaint Centre (IC3).

To report a ransomware attack you must gather every information you can about it, including:

• Screenshots of the ransom note
• Communications with threat actors (if you have them)
• A sample of an encrypted file

However, if you prefer to contact professionals, then do nothing. Leave every infected machine the way it’s and ask for an emergency ransomware removal service. Restarting or shutting down the system may compromise the recovery service. Capturing the RAM of a live system may help get the encryption key, and catching a dropper file, i.e. file executing the malicious payload, might be reverse-engineered and lead to decryption of the data or understanding how it operates.

You must not delete the ransomware, and keep every evidence of the attack. That’s important for digital forensics so experts can trace back to the hacker group and identify them. It is by using the data on your infected system that authorities can investigate the attack and find the responsible. A cyber attack investigation is not different from any other criminal investigation: it needs evidence to find the attackers.

1. Contact your Incident Response provider

A Cyber Incident Response is the process of responding to and managing a cybersecurity incident. An Incident Response Retainer is a service agreement with a cybersecurity provider that allows organizations to get external help with cybersecurity incidents. It provides organizations with a structured form of expertise and support through a security partner, enabling them to respond quickly and effectively during a cyber incident.

An incident response retainer offers peace of mind to organizations, offering expert support before and in the aftermath of a cybersecurity incident. An incident response retainer’s specific nature and structure will vary according to the provider and the organization’s requirements. A good incident response retainer should be robust but flexible, providing proven services to enhance an organization’s long-term security posture.

If you contact your IR service provider, they can take over immediately and guide you through every step in the ransomware recovery. However, if you decide to remove the ransomware yourself and recover the files with your IT team, then you can follow the next steps.

2. Identify the ransomware infection

You can identify which ransomware infected your machine by the file extension (some ransomware uses the file extension as their name), using a ransomware ID tool, or it will be on the ransom note. With this information, you can look for a public decryption key.

You can also check the ransomware type by its IOCs. Indicators of Compromise (IOCs) are digital clues that cybersecurity professionals use to identify system compromises and malicious activities within a network or IT environment. They are essentially digital versions of evidence left at a crime scene, and potential IOCs include unusual network traffic, privileged user logins from foreign countries, strange DNS requests, system file changes, and more. When an IOC is detected, security teams evaluate possible threats or validate its authenticity. IOCs also provide evidence of what an attacker had access to if they did infiltrate the network.

Rhysida ransomware file hashes

• 3809c075dea5f17511b5945110f4d6b1ac92fab5
• 1356a94f2295499f1eef98661a2042a3
• f7c66ce4c357c3a7c44dda121f8bb6a62bb3e0bc6f481619b7b5ad83855d628b
• e7962ab0304dedfc8bbead0e33c24d2bf7d07ca9
• 7c0e5627fd25c40374bc22035d3fadd8
• 052309916380ef609cacb7bafbd71dc54b57f72910dca9e5f0419204dba3841d
• e5214ab93b3a1fc3993ef2b4ad04dfcc5400d5e2
• 13546e9d36effa74f971d90687b60ea6
• 69b3d913a3967153d1e91ba1a31ebed839b297ed
• 338d4f4ec714359d589918cee1adad12ef231907
• b07f6a5f61834a57304ad4d885bd37d8e1badba8

3. Remove the ransomware and eliminate exploit kits

Before recovering your data, you must guarantee that your device is ransomware-free and that the attackers can’t make a new attack through exploit kits or other vulnerabilities. A ransomware removal service can delete the ransomware, create a forensics document for investigation, eliminate vulnerabilities, and recover your data.

4. Use a backup to restore the data

Backups are the most efficient way to recover data. Make sure to keep daily or weekly backups, depending on your data usage.

5. Contact a ransomware recovery service

If you don’t have a backup or need help removing the ransomware and eliminating vulnerabilities, contact a data recovery service. Paying the ransom does not guarantee your data will be returned to you. The only guaranteed way you can restore every file is if you have a backup of it. If you don’t, ransomware data recovery services can help you decrypt and recover the files.

SalvageData experts can safely restore your files and prevent Rhysida ransomware from attacking your network again.

Contact our experts 24/7 for emergency recovery service.

Prevent the Rhysifa ransomware attack

Preventing ransomware is the best solution for data security. is easier and cheaper than recovering from them. Rhysida ransomware can cost your business’s future and even close its doors.

These are a few tips to ensure you can avoid ransomware attacks:

• Antivirus and anti-malware
• Use cybersecurity solutions
• Use strong passwords
• Updated software
• Updated operating system (OS)
• Firewalls
• Have a recovery plan in hand (See how to create a data recovery plan with our in-depth guide)
• Schedule regular backups
• Don’t open an email attachment from an unknown source
• Do not download files from suspicious websites
• Don’t click on ads unless you’re sure it’s safe
• Only access websites from trustworthy sources