Infecting the Infected: Rhysida’s Ruthless Ransomware Regime

As we’ve seen time and time again in our cybersecurity landscape, the wicked prey on the weary and take no prisoners along the way. Rhysida, an emerging ransomware group, serves as a perfect example of this. While their activities span across a variety of sectors and regions around the world, they have taken a keen taste to vulnerabilities found within the realm of healthcare. Read More

First identified on August 9th, 2023 by Trend Micro, Rhysida launched a calculated attack on Prospect Medical Holdings, a healthcare system in California. 17 hospitals and 166 clinics fell victim to Rhysida’s assault. Their approach was as deceptive as it was shrewd, arriving at the victim’s system via phishing lures, after which Cobalt Strike was deployed and malicious code executed to assist in Discovery and Lateral Movement activities within the system and network.

As detailed by AttackIQ’s Adversary Research Team (ART), the attack begins with the download and saving of the ZIP file used by the adversary and continues with the deployment of the Cobalt Strike sample contained within the file, which is later executed via Process Injection or Reflective DLL Injection. Subsequently, Cobalt Strike will acquire system information, such as operating system information, active processes, CPU properties, installed security software, and administrator accounts.

Under Siege

Just as patients rely on life support systems, the infected systems struggle to function. Rhysida’s ransomware attacks cast a shadow over healthcare facilities, compromising sensitive data and disrupting critical services. The consequences weren’t confined to digital disruptions. They mirrored the vulnerability of patients in a hospital, their trust shaken as the systems designed to safeguard their well-being faltered under the malicious onslaught.

Prior to the deployment of Rhysida, the perpetrators used a PowerShell script known as SILENTKILL to identify security software and disable it or create exclusion rules to bypass it. Additionally, the script is capable of changing local account passwords, modifying the local Firewall, and deleting system backups to delay recovery tasks.

Rhysida operators were observed leveraging PsExec to deploy PowerShell scripts and the Rhysida ransomware payload itself. Upon deployment, Rhysida will seek to identify and list all files on all local drives on the compromised system. Once completed, it will perform the task of encrypting the files using a 4096-bit RSA key and ChaCha20 and append the extension “.rhysida”.


As cybersecurity defenders navigate this ever-evolving threat landscape, strategic insights derived from incidents like Rhysida’s become imperative. Collaboration in fortifying cyber defenses is not merely a necessity but a strategic imperative. In this context, it’s noteworthy that AttackIQ Flex  offers a free emulation, providing organizations with an unprecedented opportunity to test their defenses against emulations that mimic Rhysida’s tactics. This hands-on testing allows for a comprehensive assessment of security posture, enabling proactive measures to be fine-tuned and defenses strengthened against the omnipresent menace of ransomware. The narrative of Rhysida serves as a compelling reminder of the ongoing demand for vigilance and the strategic deployment of proactive measures to safeguard against sophisticated threat groups in our cybersecurity narrative.

Configuration Notes: This Attack Graph is designed to be executed under SYSTEM-level privileges.

Scenarios included in this Package:

  • Clear Windows Event Log via wevtutil.exe
  • Save 2022-09 Cobalt Strike Beacon Sample to File System
  • Process Discovery Through Tasklist
  • Discover Security Software (AntiVirusProduct) using WMI Command
  • Code Injection via Load Library and Create Remote Thread
  • Add Rhysida Firewall Exclusion via “New-NetFirewallRule” PowerShell Command
  • Conti File Encryption
  • Get CPU Properties Using WMI
  • Reflective DLL Injection
  • Download 2023-05 Rhysida Malicious ZIP Sample to Memory
  • Set Rhysida User Wallpaper Through Registry using “reg.exe”
  • Disable Windows Defender via Registry Key using PowerShell
  • System Information Discovery Script
  • Save 2023-05 Rhysida Malicious ZIP Sample to File System
  • Save 2023-08 SILENTKILL Sample to File System
  • File and Directory Discovery Script
  • Delete created Volume Shadow Copy using “vssadmin.exe”
  • Scheduled Task Execution
  • Delete File Scenario
  • Save 2023-05 Rhysida Ransomware Sample to File System
  • Domain Administrator Accounts Discovery Via Net Command Script