Security & Compliance Automation Platform
UnderDefense MAXI is the solution to day-to-day cybersecurity problems of IT leaders and teams. It builds your 24/7 business protection together with you on the driver’s seat.
UnderDefense MAXI Platform
UnderDefense Secures Top Honor at the 2025 Global Infosec Awards
We’re proud of being a winner at the 2025 Global Infosec Awards…
10-Point AWS Security Checklist for Executives
Quickly assess your cloud security posture with this executive-ready checklist covering IAM, monitoring, and compliance essentials.
Anti-Phishing Playbook
Your free PDF guide to spotting and stopping phishing attacks before they reach your team or data.
24/7 Threat Detection & MAXImum Responsiveness
Our human-led MDR service combines expert insight and automation and AI for fast, precise threat response. Get full context in 2 minutes and cut MTTC to 15, staying ahead of ransomware and other attacks.
Calculate your MDR price
Pay only for the services you actually need, with no hidden costs.
10-Point AWS Security Checklist for Executives
Quickly assess your cloud security posture with this executive-ready checklist covering IAM, monitoring, and compliance essentials.
Anti-Phishing Playbook
Your free PDF guide to spotting and stopping phishing attacks before they reach your team or data.
Spot threats faster and respond smarter than tools alone
24/7 MDR and SOC services led by award-winning security experts. We act as an extension to your team or as a fully remote team, providing detailed threat insights and actionable responses to secure your environment immediately.
UnderDefense is an AWS Partner
We’re excited to announce that UnderDefense is now an AWS partner and available on AWS Marketplace…
Managed SOC at Your Service
Augment your SOC with 24/7 monitoring, threat detection, and expert response—without the overhead. Integrated with your existing tools, our SOCaaS stops attacks before they cause harm.
Managed SIEM Pricing Guide
Download a clear, practical overview of Managed SIEM pricing, featuring detailed breakdowns by service type, pricing model, real-world pros and cons, and key cost factors.
Managed SOC at Your Service
Augment your SOC with 24/7 monitoring, threat detection, and expert response—without the overhead. Integrated with your existing tools, our SOCaaS stops attacks before they cause harm.
Managed SIEM Pricing Guide
Download a clear, practical overview of Managed SIEM pricing, featuring detailed breakdowns by service type, pricing model, real-world pros and cons, and key cost factors.
Rhysida ransomware recovery team on standby
Do not attempt to contain the Rhysida attack alone — uncoordinated actions can trigger additional encryption or permanent data loss. Immediately isolate compromised systems and contact our incident response team to halt the breach and prevent further damage.
Average Mttc
Ransom-Free recovery rate
Avoided in ransom
Global availability
Systems restored
IR experts
Ransomware cases resolved
IR experience
Do NOT attempt any self-remediation, as it can trigger further encryption and destroy recovery points. Instead, follow these steps:
Contact us now for urgent ransomware response assistance, 24/7
Get Help Now
Accomplishments and recognitions, demonstrating our commitment to excellence and innovation.
Momentum Leader in MDR
Best Support in MDR & IR
Managed Detection and Response (MDR)
Top Cybersecurity Company 2025
Best Managed Detection and Response Service
#4 of 184 teams Splunk Boss of the SOC
Best Of Cybersecurity Awards for Q1 2025
AWS Partner
Splunk Manage Premier Partner
Like a crime scene, a ransomware attack must be preserved — tampering with encrypted files, attempting self-recovery, or engaging with attackers can destroy critical evidence and reduce your chances of recovery.
Taking the right steps in the first moments after a Rhysida attack can make a huge difference and help you make a full recovery. Request 24/7 Rhysida ransomware recovery services to decrypt your data and maximize your chances of restoring operations.
Watch out for the key Rhysida ransomware IOCs: .rhysida file extension, CriticalBreachDetected.pdf ransom notes, terminated antivirus processes, deleted shadow copies, suspicious PowerShell activity, and tools like PsExec, Cobalt Strike, or AnyDesk running in your environment.
Deploys powerful encryption using RSA-4096 and ChaCha20 algorithms, making file recovery nearly impossible without the decryption key.
Operates through affiliate partnerships with shared infrastructure, gaining access via phishing campaigns, compromised VPNs, or exploited vulnerabilities.
Exfiltrates sensitive data before encryption and threatens public exposure on their leak site unless ransom demands are paid in Bitcoin.
Targets Windows and Linux systems across entire networks, including servers, workstations, and VMware ESXi environments.
The ransom note masquerades as a security alert, directing victims to a Tor-based portal with a unique victim code to negotiate payment.
Good news—a free decryptor exists for Rhysida ransomware due to a cryptographic implementation flaw discovered by South Korean researchers. However, this decryptor only works for certain variants and may not cover all infections. UnderDefense’s incident response team is on standby to contain the attack, eliminate the malware, prevent reinfection, and restore your systems using verified, uncompromised backups so you can safely resume operations.
Important note: IOCs often change because Rhysida affiliates constantly update their tools. This list includes recurring, widely confirmed indicators based on FBI, CISA, MS-ISAC, Sophos, Trend Micro, SentinelOne, Fortinet, and IR case data.
File extensions
The original .rhysida extension is the most common. Files are encrypted using a 4096-bit RSA key with a ChaCha20 algorithm, making unauthorized decryption nearly impossible without the private key.
Ransom note filenames
The standard ransom note is named:
CriticalBreachDetected.pdf
This PDF contains a unique victim identifier and instructions to contact Rhysida actors via their Tor-based portal.
Rhysida hashes
These are SHA256 hashes used for encrypting payloads in known attacks:
6633fa85bb234a75927b23417313e51a4c155e12f71da3959e168851a600b010
1c4978cd5d750a2985da9b58db137fc74d28422f1e087fd77642faa7efe7b597
4e34b9442f825a16d7f6557193426ae7a18899ed46d3b896f6e4357367276183
97766464d0f2f91b82b557ac656ab82e15cae7896b1d8c98632ca53c15cf06c4
918784e25bd24192ce4e999538be96898558660659e3c624a5f27857784cd7e1
Additional SHA1 hashes for supporting tools:
a506fd44ee7a6d16fe8929201bc7887b966d6d14
64eabaa3ee1084e8e8cac9e68139453b00000904
e66fd750c8bec06fca11b6e2919a3d66bc6c0fc1
Rhysida tools
For lateral movement:
PsExec
mstsc.exe (RDP)
PuTTY (SSH)
PowerShell
For credential dumping:
secretsdump
ntdsutil.exe (NTDS.dit extraction)
For reconnaissance:
ipconfig
whoami
nltest
net commands (net user, net group, net localgroup)
PowerView
For remote access & persistence:
AnyDesk
Cobalt Strike
Gootloader (initial access malware)
For data exfiltration:
AZCopy (Azure storage utility)
StorageExplorer-windows-x64.exe
For defense evasion:
wevtutil.exe (clears Windows event logs)
PowerShell hidden windows
Most common red flag
Rhysida almost always runs these commands before encryption:
wevtutil.exe Delete Shadows /all /quiet
Clear-EventLog -LogName System, Application, Security
*If you detect this, data encryption is moments away.
Attack vector | % of Rhysida incidents | Notes |
Compromised VPN credentials | 40–45% | Valid accounts without MFA enabled |
Phishing + Gootloader | 25–30% | Malicious SEO poisoning, fake legal docs |
Exploited vulnerabilities | 15–20% | Unpatched VPN, RDP, web apps |
RDP brute-force | 10–12% | Weak or reused passwords |
Supply chain / MSP access | 5–8% | Compromised third-party access |
Rhysida operates as a ransomware-as-a-service (RaaS) group with ties to the former Vice Society operation. They are unpredictable and aggressive.
Some Rhysida affiliates provide decryptors after payment, but many do not. Decryptors—when provided—are often slow, buggy, or incomplete. Victims frequently experience partial recovery failures, especially when backups were destroyed or corrupted during the attack.
Rhysida is known to publish stolen data within 48–72 hours if negotiations stall or if victims refuse to pay. Data is auctioned on their dark web leak site, often sold to the highest bidder.
Note: Attempting to remove Rhysida ransomware without expert guidance may lead to greater data loss or incomplete eradication.
To remove Rhysida ransomware, immediately engage Rhysida ransomware removal experts to guide your response and ensure no critical steps are missed. Then, begin by isolating all affected systems: disconnect compromised machines from the network (disable Wi-Fi, unplug Ethernet cables, and block their IPs at the firewall).
Next, perform a comprehensive forensic analysis to uncover the depth of the breach. Use endpoint detection and response (EDR) tools to trace the attacker’s path. Collect and review file-hash indicators of compromise (IOCs), registry changes, deleted Volume Shadow Copies, cleared event logs, and any tampering with NTDS.dit files. After mapping the intrusion, reimage all infected devices using clean, verified system images.
Finally, rely on Rhysida ransomware removal and recovery experts to validate the cleanup, conducting rootkit scans, reviewing system configurations, rotating compromised credentials (especially if NTDS.dit was accessed), and reinforcing your security posture. Their specialized knowledge ensures thorough removal and helps prevent future incidents through strategic hardening and lessons learned.
To recover from Rhysida ransomware, follow these essential steps:
Immediately isolate affected machines to stop any further malicious activity, then only reintroduce them into production once you’ve verified clean restorations and confirmed there’s no lingering malware.
Recover your data exclusively from offline, write-protected backups, and validate their integrity by checking checksums and performing test restores in a controlled environment.
Perform a thorough post-incident review to map the attack chain and identify root causes, then conduct domain-wide password resets and double Kerberos TGT password resets if NTDS.dit was compromised.
Bring in external IR specialists to audit your environment, ensure complete ransomware eradication, and help update your incident-response and business-continuity plans.
Rhysida ransom demands typically range from $200,000 to over $3 million, depending on the size of the victim organization and the amount of data stolen. Ransoms are almost always demanded in Bitcoin.
Because Rhysida conducts double-extortion attacks, victims face two simultaneous financial threats:
The ransom itself
The cost of leaked, stolen, or auctioned data
Organizations should never attempt ransom negotiation alone—Rhysida is known to escalate threats quickly, publish or auction data when provoked, or disappear after receiving payment if communication is mishandled.
Average ransom:
Small business: $200,000 – $500,000
Medium business: $600,000 – $1,500,000
Large enterprise: $1,800,000 – $3,000,000+
10 reasons why you should choose the UnderDefense ransomware recovery consulting services:
Get Help NowRhysida is a highly aggressive Ransomware-as-a-Service (RaaS) operation that emerged in May 2023, rapidly establishing itself as a significant threat across multiple sectors. The group employs double extortion tactics, breaching networks to steal sensitive data before encrypting systems using a hybrid ChaCha20 + RSA-4096 encryption algorithm. Rhysida operators pose as a “cybersecurity team” offering to help victims identify security weaknesses, then demand substantial ransoms while threatening to publish stolen data on their dark-web leak site if payment is not received.
The Rhysida ransomware group operates as a decentralized RaaS collective, leveraging Tor-based communication portals, anonymized infrastructure, and constantly shifting servers to obscure their physical location. While security researchers have identified potential connections to the Vice Society ransomware group and observed Russian-speaking threat actors in their operations, there is no officially confirmed geographic origin or headquarters for the Rhysida gang.
Rhysida ransomware typically infiltrates through phishing campaigns, compromised RDP/VPN credentials, or exploiting unpatched vulnerabilities. Once inside, attackers conduct network reconnaissance using tools like ADFind and SoftPerfect, steal credentials, and move laterally across the environment.
They exfiltrate sensitive data using tools like Rclone or WinSCP, disable security defenses and backup systems, then rapidly deploy the ransomware payload. Files are encrypted using ChaCha20 with RSA-4096, appending the .rhysida extension.
Finally, ransom notes are dropped across the network, and attackers may establish persistence through Cobalt Strike or similar backdoors to maintain access even after initial detection.
Rhysida’s encryption phase can be devastatingly fast — smaller networks may be locked down within hours, while larger enterprise environments can be fully encrypted within 8-12 hours. However, the attack typically begins days or weeks earlier: threat actors spend 7-21+ days inside the network undetected, conducting reconnaissance, stealing data, disabling backups and security tools, and positioning themselves for rapid, coordinated encryption across all critical systems simultaneously.
There is no official public list of Rhysida victims, but confirmed cases are typically published on Rhysida’s own dark-web leak site and subsequently reported by cybersecurity researchers, threat intelligence platforms, and media outlets tracking ransomware disclosures. Security teams often monitor these leak portals, CTI feeds, and incident response reports to stay informed about newly targeted organizations across healthcare, education, government, and other sectors.
You can remove the Rhysida malware payload itself, but that does nothing to decrypt your files or eliminate the threat. Because there is no public decryptor available for Rhysida and the threat actors frequently leave backdoors and persistence mechanisms behind, proper recovery requires professional incident response, comprehensive environment remediation, threat hunting to eliminate all attacker access, and restoration from clean, uncompromised backups.
Rhysida attackers typically infiltrate your network days or weeks before encryption, quietly stealing sensitive data, disabling backup systems and EDR tools, and spreading laterally through critical servers and workstations. When the ransomware detonates, files across Windows, Linux, and ESXi systems are rapidly encrypted with the .rhysida extension, shadow copies are deleted, and ransom notes appear in every directory. Shortly after, stolen data is threatened or published on the gang’s dark-web leak site to pressure victims into paying the ransom.
Ransomware is best prevented through layered security: patching critical vulnerabilities within 48 hours, enforcing phishing-resistant MFA across all accounts, deploying EDR + SIEM with 24/7 monitoring, segmenting networks to restrict lateral movement, hardening identity and privileged access controls, securing email gateways against phishing, and protecting backups with immutability and MFA-controlled access so attackers cannot tamper with them. Regular security awareness training and continuous threat-hunting further reduce risk.
Here’s a ransomware prevention checklist that will help your organization to block, detect, and contain attacks:
Patch critical vulnerabilities within 48 hours
Use MFA for all accounts, especially privileged access
Deploy EDR on all endpoints
Centralize logs into your SIEM
24/7 monitoring for lateral movement and anomalous behavior
Disable unused RDP and enforce VPN access controls
Apply network segmentation and restrict admin privileges
Harden backup servers and enforce immutability
Run phishing simulations and security awareness training
Perform regular IR tabletop exercises