What to do if you're hit by ransomware?

Do NOT attempt any self-remediation, as it can trigger further encryption and destroy recovery points. Instead, follow these steps:

1
Do NOT fix it yourself
2
Disconnect affected systems
3
Call us +1 332 331 8700

Contact us now for urgent ransomware response assistance, 24/7

Get Help Now
Frame

Experts. Finalists. Winners.

Accomplishments and recognitions, demonstrating our commitment to excellence and innovation.

Momentum Leader in MDR

Best Support in MDR & IR

Managed Detection and Response (MDR)

Top Cybersecurity Company 
2025

Best Managed Detection and Response Service

#4 of 184 teams Splunk Boss of the SOC

Best Of Cybersecurity Awards for Q1 2025

AWS Partner

Splunk Manage Premier Partner

Image (11) (1)

Why you shouldn’t attempt 
to fix it alone

Like a crime scene, a ransomware attack must be preserved — tampering with encrypted files, attempting self-recovery, or engaging with attackers can destroy critical evidence and reduce your chances of recovery.

Taking the right steps in the first moments after a Rhysida attack can make a huge difference and help you make a full recovery. Request 24/7 Rhysida ransomware recovery services to decrypt your data and maximize your chances of restoring operations.

Contact us now for urgent ransomware recovery assistance

Under attack?

Get Help Now

Rhysida ransomware statistics & facts

Rhysida decryptor
Rhysida IOCs
Rhysida vectors
Case outcomes
How to remove Rhysida ransomware?
How to recover from Rhysida ransomware?
Ransom amounts
Rhysida decryptor

Good news—a free decryptor exists for Rhysida ransomware due to a cryptographic implementation flaw discovered by South Korean researchers. However, this decryptor only works for certain variants and may not cover all infections. UnderDefense’s incident response team is on standby to contain the attack, eliminate the malware, prevent reinfection, and restore your systems using verified, uncompromised backups so you can safely resume operations.

Rhysida IOCs

Important note: IOCs often change because Rhysida affiliates constantly update their tools. This list includes recurring, widely confirmed indicators based on FBI, CISA, MS-ISAC, Sophos, Trend Micro, SentinelOne, Fortinet, and IR case data.

File extensions
The original .rhysida extension is the most common. Files are encrypted using a 4096-bit RSA key with a ChaCha20 algorithm, making unauthorized decryption nearly impossible without the private key.

Ransom note filenames
The standard ransom note is named:

CriticalBreachDetected.pdf

This PDF contains a unique victim identifier and instructions to contact Rhysida actors via their Tor-based portal.

Rhysida hashes
These are SHA256 hashes used for encrypting payloads in known attacks:

6633fa85bb234a75927b23417313e51a4c155e12f71da3959e168851a600b010
1c4978cd5d750a2985da9b58db137fc74d28422f1e087fd77642faa7efe7b597
4e34b9442f825a16d7f6557193426ae7a18899ed46d3b896f6e4357367276183
97766464d0f2f91b82b557ac656ab82e15cae7896b1d8c98632ca53c15cf06c4
918784e25bd24192ce4e999538be96898558660659e3c624a5f27857784cd7e1

Additional SHA1 hashes for supporting tools:

a506fd44ee7a6d16fe8929201bc7887b966d6d14
64eabaa3ee1084e8e8cac9e68139453b00000904
e66fd750c8bec06fca11b6e2919a3d66bc6c0fc1

Rhysida tools
For lateral movement:

PsExec
mstsc.exe (RDP)
PuTTY (SSH)
PowerShell

For credential dumping:

secretsdump
ntdsutil.exe (NTDS.dit extraction)

For reconnaissance:

ipconfig
whoami
nltest
net commands (net user, net group, net localgroup)
PowerView

For remote access & persistence:

AnyDesk
Cobalt Strike
Gootloader (initial access malware)

For data exfiltration:

AZCopy (Azure storage utility)
StorageExplorer-windows-x64.exe

For defense evasion:

wevtutil.exe (clears Windows event logs)
PowerShell hidden windows

Most common red flag
Rhysida almost always runs these commands before encryption:

wevtutil.exe Delete Shadows /all /quiet
Clear-EventLog -LogName System, Application, Security

*If you detect this, data encryption is moments away.

Rhysida vectors

Attack vector

% of Rhysida incidents

Notes

Compromised VPN credentials

40–45%

Valid accounts without MFA enabled

Phishing + Gootloader

25–30%

Malicious SEO poisoning, fake legal docs

Exploited vulnerabilities

15–20%

Unpatched VPN, RDP, web apps

RDP brute-force

10–12%

Weak or reused passwords

Supply chain / MSP access

5–8%

Compromised third-party access

Powered By WP Table Builder
Case outcomes

Rhysida operates as a ransomware-as-a-service (RaaS) group with ties to the former Vice Society operation. They are unpredictable and aggressive.

Some Rhysida affiliates provide decryptors after payment, but many do not. Decryptors—when provided—are often slow, buggy, or incomplete. Victims frequently experience partial recovery failures, especially when backups were destroyed or corrupted during the attack.

Rhysida is known to publish stolen data within 48–72 hours if negotiations stall or if victims refuse to pay. Data is auctioned on their dark web leak site, often sold to the highest bidder.

How to remove Rhysida ransomware?

Note: Attempting to remove Rhysida ransomware without expert guidance may lead to greater data loss or incomplete eradication.

To remove Rhysida ransomware, immediately engage Rhysida ransomware removal experts to guide your response and ensure no critical steps are missed. Then, begin by isolating all affected systems: disconnect compromised machines from the network (disable Wi-Fi, unplug Ethernet cables, and block their IPs at the firewall).

Next, perform a comprehensive forensic analysis to uncover the depth of the breach. Use endpoint detection and response (EDR) tools to trace the attacker’s path. Collect and review file-hash indicators of compromise (IOCs), registry changes, deleted Volume Shadow Copies, cleared event logs, and any tampering with NTDS.dit files. After mapping the intrusion, reimage all infected devices using clean, verified system images.

Finally, rely on Rhysida ransomware removal and recovery experts to validate the cleanup, conducting rootkit scans, reviewing system configurations, rotating compromised credentials (especially if NTDS.dit was accessed), and reinforcing your security posture. Their specialized knowledge ensures thorough removal and helps prevent future incidents through strategic hardening and lessons learned.

How to recover from Rhysida ransomware?

To recover from Rhysida ransomware, follow these essential steps:

Immediately isolate affected machines to stop any further malicious activity, then only reintroduce them into production once you’ve verified clean restorations and confirmed there’s no lingering malware.
Recover your data exclusively from offline, write-protected backups, and validate their integrity by checking checksums and performing test restores in a controlled environment.
Perform a thorough post-incident review to map the attack chain and identify root causes, then conduct domain-wide password resets and double Kerberos TGT password resets if NTDS.dit was compromised.
Bring in external IR specialists to audit your environment, ensure complete ransomware eradication, and help update your incident-response and business-continuity plans.

Ransom amounts

Rhysida ransom demands typically range from $200,000 to over $3 million, depending on the size of the victim organization and the amount of data stolen. Ransoms are almost always demanded in Bitcoin.

Because Rhysida conducts double-extortion attacks, victims face two simultaneous financial threats:

The ransom itself
The cost of leaked, stolen, or auctioned data

Organizations should never attempt ransom negotiation alone—Rhysida is known to escalate threats quickly, publish or auction data when provoked, or disappear after receiving payment if communication is mishandled.

Average ransom:

Small business: $200,000 – $500,000
Medium business: $600,000 – $1,500,000
Large enterprise: $1,800,000 – $3,000,000+

Our customers say it best

Contact us now for urgent ransomware recovery assistance

Under attack?

Get Help Now

Frequently asked questions

What is Rhysida ransomware?

Rhysida is a highly aggressive Ransomware-as-a-Service (RaaS) operation that emerged in May 2023, rapidly establishing itself as a significant threat across multiple sectors. The group employs double extortion tactics, breaching networks to steal sensitive data before encrypting systems using a hybrid ChaCha20 + RSA-4096 encryption algorithm. Rhysida operators pose as a “cybersecurity team” offering to help victims identify security weaknesses, then demand substantial ransoms while threatening to publish stolen data on their dark-web leak site if payment is not received.

Where is the Rhysida ransomware gang located?

The Rhysida ransomware group operates as a decentralized RaaS collective, leveraging Tor-based communication portals, anonymized infrastructure, and constantly shifting servers to obscure their physical location. While security researchers have identified potential connections to the Vice Society ransomware group and observed Russian-speaking threat actors in their operations, there is no officially confirmed geographic origin or headquarters for the Rhysida gang.

How does Rhysida ransomware work?

Rhysida ransomware typically infiltrates through phishing campaigns, compromised RDP/VPN credentials, or exploiting unpatched vulnerabilities. Once inside, attackers conduct network reconnaissance using tools like ADFind and SoftPerfect, steal credentials, and move laterally across the environment.

They exfiltrate sensitive data using tools like Rclone or WinSCP, disable security defenses and backup systems, then rapidly deploy the ransomware payload. Files are encrypted using ChaCha20 with RSA-4096, appending the .rhysida extension.

Finally, ransom notes are dropped across the network, and attackers may establish persistence through Cobalt Strike or similar backdoors to maintain access even after initial detection.

How long do Rhysida ransomware attacks last?

Rhysida’s encryption phase can be devastatingly fast — smaller networks may be locked down within hours, while larger enterprise environments can be fully encrypted within 8-12 hours. However, the attack typically begins days or weeks earlier: threat actors spend 7-21+ days inside the network undetected, conducting reconnaissance, stealing data, disabling backups and security tools, and positioning themselves for rapid, coordinated encryption across all critical systems simultaneously.

Where can I find a Rhysida victims list?

There is no official public list of Rhysida victims, but confirmed cases are typically published on Rhysida’s own dark-web leak site and subsequently reported by cybersecurity researchers, threat intelligence platforms, and media outlets tracking ransomware disclosures. Security teams often monitor these leak portals, CTI feeds, and incident response reports to stay informed about newly targeted organizations across healthcare, education, government, and other sectors.

Can Rhysida ransomware be deleted?

You can remove the Rhysida malware payload itself, but that does nothing to decrypt your files or eliminate the threat. Because there is no public decryptor available for Rhysida and the threat actors frequently leave backdoors and persistence mechanisms behind, proper recovery requires professional incident response, comprehensive environment remediation, threat hunting to eliminate all attacker access, and restoration from clean, uncompromised backups.

What happens when you get Rhysida ransomware?

Rhysida attackers typically infiltrate your network days or weeks before encryption, quietly stealing sensitive data, disabling backup systems and EDR tools, and spreading laterally through critical servers and workstations. When the ransomware detonates, files across Windows, Linux, and ESXi systems are rapidly encrypted with the .rhysida extension, shadow copies are deleted, and ransom notes appear in every directory. Shortly after, stolen data is threatened or published on the gang’s dark-web leak site to pressure victims into paying the ransom.

How can ransomware be prevented?

Ransomware is best prevented through layered security: patching critical vulnerabilities within 48 hours, enforcing phishing-resistant MFA across all accounts, deploying EDR + SIEM with 24/7 monitoring, segmenting networks to restrict lateral movement, hardening identity and privileged access controls, securing email gateways against phishing, and protecting backups with immutability and MFA-controlled access so attackers cannot tamper with them. Regular security awareness training and continuous threat-hunting further reduce risk.

What is a ransomware prevention checklist?

Here’s a ransomware prevention checklist that will help your organization to block, detect, and contain attacks:

Patch critical vulnerabilities within 48 hours
Use MFA for all accounts, especially privileged access
Deploy EDR on all endpoints
Centralize logs into your SIEM
24/7 monitoring for lateral movement and anomalous behavior
Disable unused RDP and enforce VPN access controls
Apply network segmentation and restrict admin privileges
Harden backup servers and enforce immutability
Run phishing simulations and security awareness training
Perform regular IR tabletop exercises