RHYSIDA

RANSOMWARE

CISA Intelligence #StopRansomware

#StopRansomware: Rhysida Ransomware · 2025-04-30

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi- State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint advisory to disseminate known Rhysida ransomware IOCs and TTPs identified through investigations as recently as December 2024. Rhysida has predominately been deployed against the education, healthcare, manufacturing, information technology, and government sectors since May 2023. The information in this advisory is derived from related incident response investigations and malware analysis of samples discovered on victim networks.

FBI, CISA, and the MS-ISAC encourage organizations to implement best practices to defend against ransomware and the Rhysida-specific recommendations in the Mitigations section of this advisory.

Organizations should take the following actions today to mitigate malicious cyber activity:

Download the PDF version of this report:

For a downloadable copy of updated IOCs, see:

For a downloadable copy of historic IOCs, see:

Predicted CVEs (2) CORRELATION

How does prediction work?

Predicted CVEs are identified through automated correlation using multiple sources: vendor/product profiles historically targeted by the group (MITRE ATT&CK), attack chain patterns (KEV + TTPs), threat intelligence (MISP, STIX), and AI analysis. These CVEs have not been confirmed as exploited by this specific group, but have a high probability of being targets based on the actor's operational profile.

CVE-2020-1472 MEDIUM Microsoft Windows Server version 2004 high 5.5 CVE-2020-1472 MEDIUM Microsoft Windows Server version 2004 predicted 5.5

ATT&CK Techniques (28)

T1548.002 Abusing Elevation Control Mechanism: Bypass User Account Control Initial Access T1566 Phishing Initial Access T1059 Command and Scripting Interpreter Execution T1129 Shared Modules Execution T1547.001 Registry Run Keys Privilege Escalation T1027 Obfuscated Files or Information Defense Evasion T1036 Masquerading Defense Evasion T1055 Process Injection Defense Evasion T1055.003 Thread Execution Hijacking Defense Evasion T1564 Hidden Artifacts Defense Evasion T1564.004 NTFS File Attributes Defense Evasion T1620 Reflective DLL Injection Defense Evasion T1010 Application Window Discovery Discovery T1057 Process Discovery Discovery T1082 System Information Discovery Discovery T1083 File and Directory Discovery Discovery T1497 Virtualization/Sandbox Evasion Discovery T1518.001 Security Software Discovery Discovery T1005 Data from Local System Collection T1119 Automated Collection Collection T1041 Exfiltration Over C2 Channel Exfiltration T1071 Application Layer Protocol Command and Control T1071.001 Web Protocols Command and Control T1486 Data Encrypted for Impact Impact T1583 Acquire Infrastructure Resource Development T1587 Develop Capabilities Resource Development T1595 Active Scanning Reconnaissance T1598 Phishing for Information Reconnaissance