RHYSIDA
CISA Intelligence #StopRansomware
#StopRansomware: Rhysida Ransomware · 2025-04-30
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi- State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint advisory to disseminate known Rhysida ransomware IOCs and TTPs identified through investigations as recently as December 2024. Rhysida has predominately been deployed against the education, healthcare, manufacturing, information technology, and government sectors since May 2023. The information in this advisory is derived from related incident response investigations and malware analysis of samples discovered on victim networks.
FBI, CISA, and the MS-ISAC encourage organizations to implement best practices to defend against ransomware and the Rhysida-specific recommendations in the Mitigations section of this advisory.
Organizations should take the following actions today to mitigate malicious cyber activity:
Download the PDF version of this report:
For a downloadable copy of updated IOCs, see:
For a downloadable copy of historic IOCs, see:
Predicted CVEs (2) CORRELATION
How does prediction work?
Predicted CVEs are identified through automated correlation using multiple sources: vendor/product profiles historically targeted by the group (MITRE ATT&CK), attack chain patterns (KEV + TTPs), threat intelligence (MISP, STIX), and AI analysis. These CVEs have not been confirmed as exploited by this specific group, but have a high probability of being targets based on the actor's operational profile.