Since its emergence in May 2023, Rhysida ransomware quickly established a reputation for targeting organizations that most ransomware groups either avoid or claim to avoid: government agencies, healthcare systems, and educational institutions. By mid-2024, Rhysida had hit targets across Europe, the Americas, and the Middle East, with a victim profile that skewed heavily toward the public sector and critical infrastructure.
The group's targeting choices weren't random. Rhysida appears to have calculated that public sector organizations face unique pressure to restore services and protect citizen data — pressure that translates into willingness to negotiate.
Emergence and Attribution
Rhysida appeared on the threat landscape in May 2023, operating a RaaS model with a leak site on the Tor network. The group's name referenced a genus of centipede — continuing the ransomware ecosystem's oddly common pattern of zoological branding.
Attribution analysis suggested connections to the Vice Society ransomware group, which had been active since 2021 with a similar focus on education and healthcare. Evidence included:
- Overlapping tactics, techniques, and procedures (TTPs)
- Similar infrastructure patterns
- Consistent targeting of the same sectors
- Timeline alignment — Vice Society's activity declined as Rhysida's increased
If Rhysida was indeed a Vice Society rebrand, it represented operators with years of experience targeting exactly the sectors Rhysida would go on to hit.
Notable Government Targets
The British Library (October 2023)
One of the world's great research libraries was hit by Rhysida in October 2023. The attack disrupted services for months:
- The online catalog was inaccessible for extended periods
- Digital collections and electronic resources were unavailable
- Staff email and administrative systems were compromised
- Nearly 600,000 customer and staff records were stolen
- The library estimated recovery costs of over $7 million
Rhysida demanded 20 BTC (approximately $750,000) and published stolen data after the library refused to pay. The attack demonstrated that cultural institutions — often operating with limited cybersecurity budgets — were vulnerable targets.
Chilean Army (June 2023)
Rhysida claimed to have stolen 360,000 documents from the Chilean military, publishing samples that included personnel records, financial documents, and internal communications. The breach highlighted the vulnerability of military administrative systems, which often prioritize classified network security while underinvesting in the security of administrative and personnel systems.
City of Columbus, Ohio (July 2024)
Rhysida breached the City of Columbus, stealing personal data of approximately 500,000 residents. The city initially downplayed the breach, claiming stolen data was "encrypted or corrupted." When a security researcher publicly contradicted this, the city sued the researcher — a response that drew widespread criticism and highlighted the tensions between transparency and damage control in public sector breach response.
Prospect Medical Holdings (August 2023)
Rhysida hit Prospect Medical Holdings, disrupting hospital operations across four states. Emergency rooms diverted patients, elective procedures were postponed, and staff reverted to paper records. The attack affected 16 hospitals and over 165 clinics, demonstrating the cascading impact when a healthcare holding company is targeted.
Technical Profile
The Payload
Rhysida's ransomware was written in C++ and compiled as a 64-bit Windows PE executable. Key technical characteristics:
- Encryption: ChaCha20 algorithm with RSA-4096 for key encryption
- Intermittent encryption: Configurable partial file encryption for speed
- File targeting: Encrypted files received a .rhysida extension
- Ransom note: Dropped as a PDF file named "CriticalBreachDetected.pdf"
- Process termination: Kill lists targeting databases, backup software, and security tools
Initial Access Vectors
Rhysida affiliates used several initial access methods:
Phishing: Standard email phishing campaigns delivering malware loaders, often Cobalt Strike beacons or SystemBC backdoors.
Valid credentials: Purchasing or stealing VPN and RDP credentials from initial access brokers or extracting them from credential dumps.
Vulnerability exploitation: Targeting internet-facing applications, particularly Citrix NetScaler (CVE-2023-3519) and FortiOS (CVE-2023-27997) vulnerabilities.
Zerologon (CVE-2020-1472): Notably, Rhysida affiliates were observed exploiting the Zerologon vulnerability — a critical Netlogon flaw from 2020 — well into 2024. The continued effectiveness of a four-year-old vulnerability spoke volumes about the patch management challenges in government and healthcare.
Post-Exploitation
Standard post-exploitation toolkit:
- Cobalt Strike: Primary C2 framework
- PsExec: Remote execution and ransomware deployment
- SystemBC: Proxy tool for maintaining stealthy communication channels
- Mimikatz and ntdsutil: Credential harvesting
- PowerShell: Script-based reconnaissance and tool deployment
- WinSCP and MegaSync: Data exfiltration tools
Why Government and Public Sector?
Rhysida's targeting preferences reflected several calculated factors:
Budget Constraints
Government agencies and public institutions often operate with cybersecurity budgets that are a fraction of what private sector organizations of comparable size invest. This creates systematic underinvestment in:
- Endpoint detection and response
- Security operations center coverage
- Vulnerability management and patching
- Security awareness training
- Incident response capabilities
Legacy Infrastructure
Government IT environments frequently include legacy systems that cannot be easily updated or replaced:
- Systems running unsupported operating systems
- Applications with hardcoded dependencies on specific OS versions
- Legacy databases and file servers that predate modern security architectures
- Procurement cycles that delay security tool deployment by months or years
Data Sensitivity
Government agencies hold enormous volumes of sensitive citizen data:
- Social Security numbers and tax information
- Criminal justice records
- Healthcare data (for government health systems)
- Military and security information
- Personal records of government employees
This data creates extortion leverage — the threat of publishing citizen data carries both reputational and regulatory consequences for government agencies.
Operational Pressure
Government agencies provide essential services:
- Emergency services and public safety
- Healthcare delivery
- Benefits administration
- Judicial operations
- Transportation and infrastructure management
Disruption of these services directly affects citizens, creating political and operational pressure to restore services quickly.
The Public Sector Supply Chain Challenge
Government organizations face unique supply chain challenges:
Procurement requirements: Government procurement processes prioritize compliance and cost over security agility. This often means deploying products that meet regulatory checkboxes but may not represent the most secure options.
Shared service providers: Government agencies often share IT service providers, creating concentration risks. A breach at one shared service provider can cascade across multiple agencies.
Interconnected systems: Government systems frequently interconnect — between agencies, between levels of government, and with private sector partners. These connections create lateral movement opportunities for attackers.
Contractor access: Government reliance on contractors and consultants creates extensive third-party access that must be managed across agencies with varying security maturity levels.
Defensive Recommendations
For organizations in Rhysida's target sectors:
Patch known vulnerabilities aggressively. The continued exploitation of Zerologon (a 2020 CVE) demonstrates that basic patch management failures remain the primary enabler. Organizations that can't patch production systems should implement compensating controls.
Segment legacy systems. Isolating systems that cannot be patched or updated limits their usefulness as lateral movement stepping stones.
Implement MFA everywhere. Rhysida's reliance on valid credentials for initial access is defeated by phishing-resistant MFA on all externally accessible systems.
Monitor for legitimate tool abuse. Rhysida operators used PsExec, PowerShell, and WinSCP — tools present in most environments. Detection must focus on anomalous usage patterns rather than tool presence.
How Safeguard.sh Helps
Rhysida's systematic targeting of government and critical infrastructure exposed the supply chain challenges unique to the public sector — legacy systems, shared service providers, and complex vendor ecosystems that create cascading risk.
Safeguard.sh provides the automated supply chain visibility that resource-constrained public sector organizations need. The platform's SBOM management tracks every software component across your environment, including the legacy systems and third-party tools that Rhysida's operators exploit. Continuous vulnerability monitoring ensures that aging CVEs like Zerologon don't persist unnoticed in your infrastructure.
For government agencies managing complex vendor relationships and shared service architectures, Safeguard.sh's dependency mapping identifies concentration risks — the shared components and service providers whose compromise could cascade across multiple systems. When your supply chain spans agencies, contractors, and shared services, automated visibility is the only way to keep pace with the threat.