SYMBOLCOMMON_NAMEaka. SYNONYMS
win.rhysida (Back to overview)

Rhysida

Actor(s): Vanilla Tempest

VTCollection    

There is no description at this point.

References
2025-09-02At-BayAaron Smith, Laurie Iacono, MC, Ricardo Vazquez, Rohit Pappali, Will Botto, Yiwei Guo
Rhysida: Evading Detection, One Service at a Time
Rhysida
2025-01-30Recorded FutureInsikt Group
TAG-124’s Multi-Layered TDS Infrastructure and Extensive User Base
Rhysida KongTuke MintsLoader Broomstick Remcos Rhysida WarmCookie
2024-11-07Cisco TalosAliza Johnson, Chetan Raghuprasad, Elio Biasiotto, Michael Szeliga
Unwrapping the emerging Interlock ransomware attack
Interlock Rhysida
2024-10-09Recorded FutureInsikt Group
Outmaneuvering Rhysida: How Advanced Threat Intelligence Shields Critical Infrastructure from Ransomware
Broomstick Rhysida
2024-07-24ThreatDownThreatDown
Rhysida using Oyster Backdoor to deliver ransomware
Broomstick Rhysida
2024-02-12HelpNetSecurityZeljka Zorz
Decryptor for Rhysida ransomware is available!
Rhysida
2023-12-13ShadowStackREShadowStackRE
Rhysida Ransomware
Rhysida Rhysida
2023-12-12FourcoreSwapnil
Rhysida Ransomware: History, TTPs And Adversary Emulation Plans
Rhysida Rhysida Vanilla Tempest
2023-12-10Detect FYISimone Kraus
Rhysida Ransomware and the Detection Opportunities
PolyVice Rhysida Vanilla Tempest
2023-11-15FortinetAmey Gat, Andrew Nicchi, John Simmons, Mark Robson
Investigating the New Rhysida Ransomware
Rhysida
2023-10-26Avast DecodedThreat Research Team
Rhysida Ransomware Technical Analysis
Rhysida
2023-08-09BleepingComputerBill Toulas
Rhysida ransomware behind recent attacks on healthcare
Rhysida
2023-08-09Trend MicroTrend Micro Research
An Overview of the New Rhysida Ransomware Targeting the Healthcare Sector
Rhysida
2023-08-08Cisco TalosCisco Talos
What Cisco Talos knows about the Rhysida ransomware
Rhysida
2023-08-08CheckpointCheckpoint Research
THE RHYSIDA RANSOMWARE: ACTIVITY ANALYSIS AND TIES TO VICE SOCIETY
Rhysida Vanilla Tempest
2023-08-01LinkedIn (PRODAFT)PRODAFT
An organic relationship between the #Rhysida and #ViceSociety ransomware teams
Rhysida
2023-06-29SentinelOneAlex Delamotte, Jim Walter
Rhysida Ransomware | RaaS Crawls Out of Crimeware Undergrowth to Attack Chilean Army
Rhysida
2023-05-23SecplicityRyan Estes
Scratching the Surface of Rhysida Ransomware
Rhysida
Yara Rules
[TLP:WHITE] win_rhysida_auto (20260504 | Detects win.rhysida.)
rule win_rhysida_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.rhysida."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rhysida"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b4024 4898 4883c006 4801d0 4889c1 e8???????? 98 }
            // n = 7, score = 400
            //   8b4024               | jne                 0x30f
            //   4898                 | mov                 dword ptr [ebx + 8], 0
            //   4883c006             | xor                 eax, eax
            //   4801d0               | dec                 eax
            //   4889c1               | add                 esp, 0x28
            //   e8????????           |                     
            //   98                   | pop                 ebx

        $sequence_1 = { 4539c1 7663 4183c008 660f6f1411 0f111410 660f6f5c1110 0f115c1010 }
            // n = 7, score = 400
            //   4539c1               | sub                 ebx, ebp
            //   7663                 | inc                 ebp
            //   4183c008             | lea                 eax, [ebx - 2]
            //   660f6f1411           | dec                 ecx
            //   0f111410             | lea                 ecx, [edi + ebp]
            //   660f6f5c1110         | dec                 esp
            //   0f115c1010           | mov                 edi, eax

        $sequence_2 = { 8d5804 7446 4983bc240003000000 8d5805 7438 4983bc248003000000 8d5806 }
            // n = 7, score = 400
            //   8d5804               | dec                 eax
            //   7446                 | cwde                
            //   4983bc240003000000     | movss    dword ptr [ebp + eax*4 + 0x9d0], xmm0
            //   8d5805               | add                 dword ptr [ebp + 0x1118], 1
            //   7438                 | add                 dword ptr [ebp + 0x10f8], 1
            //   4983bc248003000000     | mov    eax, dword ptr [ebp + 0x1100]
            //   8d5806               | add                 eax, 8

        $sequence_3 = { 761b 4181fdffff0000 418d4d04 0f8784010000 662e0f1f840000000000 4d85e4 7404 }
            // n = 7, score = 400
            //   761b                 | mov                 eax, dword ptr [ebp + 0x38]
            //   4181fdffff0000       | movzx               eax, byte ptr [eax]
            //   418d4d04             | movzx               ecx, al
            //   0f8784010000         | je                  0x1bb5
            //   662e0f1f840000000000     | inc    ecx
            //   4d85e4               | movzx               edi, byte ptr [edx + edi]
            //   7404                 | mov                 esi, edi

        $sequence_4 = { f30f1185b0100000 f30f108db8100000 f30f1005???????? f30f59c8 f30f1095b4100000 f30f1005???????? f30f59c2 }
            // n = 7, score = 400
            //   f30f1185b0100000     | movss               dword ptr [esp + 0x50], xmm0
            //   f30f108db8100000     | movss               xmm0, dword ptr [ebp - 0x6c]
            //   f30f1005????????     |                     
            //   f30f59c8             | movss               dword ptr [esp + 0x48], xmm0
            //   f30f1095b4100000     | movss               xmm0, dword ptr [ebp - 0x68]
            //   f30f1005????????     |                     
            //   f30f59c2             | movss               dword ptr [esp + 0x40], xmm0

        $sequence_5 = { f30f2cc0 c744243800000000 c744243000000000 c744242800000000 c744242000000000 4189d1 4189c0 }
            // n = 7, score = 400
            //   f30f2cc0             | mov                 eax, dword ptr [ebp + 0x260]
            //   c744243800000000     | movss               xmm1, dword ptr [eax + 0xc]
            //   c744243000000000     | dec                 eax
            //   c744242800000000     | mov                 eax, dword ptr [ebp + 0x18]
            //   c744242000000000     | movss               xmm2, dword ptr [eax + 4]
            //   4189d1               | subss               xmm1, xmm2
            //   4189c0               | divss               xmm0, xmm1

        $sequence_6 = { 4989d2 4c01e8 4889fa 4c11f2 4c01c8 4c11d2 4989c1 }
            // n = 7, score = 400
            //   4989d2               | mov                 dword ptr [esp + 0x70], eax
            //   4c01e8               | dec                 eax
            //   4889fa               | mov                 eax, dword ptr [esp + 0xc0]
            //   4c11f2               | dec                 ebp
            //   4c01c8               | cmp                 ecx, ebx
            //   4c11d2               | dec                 esp
            //   4989c1               | lea                 edx, [eax + ebx]

        $sequence_7 = { c1ea10 440fb6fa 44897c2428 440fb67c2420 0fb6d4 8954242c 89ca }
            // n = 7, score = 400
            //   c1ea10               | inc                 esp
            //   440fb6fa             | xor                 eax, dword ptr [ecx + eax*4]
            //   44897c2428           | shr                 eax, 0x10
            //   440fb67c2420         | inc                 ebp
            //   0fb6d4               | xor                 eax, dword ptr [esi + ecx*4]
            //   8954242c             | movzx               edi, al
            //   89ca                 | dec                 eax

        $sequence_8 = { 4f892c20 4983c408 4a8b0c20 4b890c20 4983c408 4c3b642440 0f8416fcffff }
            // n = 7, score = 400
            //   4f892c20             | dec                 esp
            //   4983c408             | mov                 edx, ebp
            //   4a8b0c20             | dec                 eax
            //   4b890c20             | mov                 ecx, edi
            //   4983c408             | test                eax, eax
            //   4c3b642440           | mov                 ebx, eax
            //   0f8416fcffff         | je                  0x1af

        $sequence_9 = { 8b45f0 8d48ff 8b45f4 2b45f8 29c1 89c8 4863c8 }
            // n = 7, score = 400
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x54]
            //   8d48ff               | or                  eax, edx
            //   8b45f4               | mov                 dword ptr [ebp - 0x54], eax
            //   2b45f8               | mov                 eax, dword ptr [ebp - 0x58]
            //   29c1                 | add                 eax, 2
            //   89c8                 | mov                 dword ptr [ebp - 0x58], eax
            //   4863c8               | dec                 eax

    condition:
        7 of them and filesize < 2369536
}
Download all Yara Rules