Menu
Browse

Cyber Threat Actor: Rhysida

Aliases: 2 aliases
Actor Type Location Known Incidents
 Icon
Criminal
France
13 incidents
Profile

Rhysida is a ransomware group that has been publicly identified by the aliases Rhysida ransomware group and Rhysida, and the threat actor’s base of operations is indicated as France in the available reporting. The group has carried out a series of ransomware attacks that involve encrypting victim systems, exfiltrating data, and then threatening to publish or sell the stolen information unless a ransom is paid, which demonstrates a financially motivated extortion model. Observed incidents show the group targeting a range of sectors including healthcare, education, government, manufacturing, and publishing, and the activity has been observed across multiple geographic regions such as the United States, the United Kingdom, Italy, Denmark, Peru, and France itself, indicating a transnational operational pattern.

The group’s tactics, techniques, and procedures as described in the source material include deploying ransomware that encrypts critical systems, exfiltrating large volumes of data—sometimes hundreds of gigabytes—and posting the stolen material on a leak site to pressure victims into payment. Ransom demands have been expressed in both cryptocurrency, such as requests for five or ten bitcoin, and fiat currency, exemplified by a demand of over 1.5 million USD in one healthcare incident. In several cases the actors have employed anti‑forensic or anti‑detection techniques that hindered forensic analysis, as noted in the attack on a London literary agency. The British Library incident highlighted the exploitation of a Terminal Services server lacking multi‑factor authentication as an initial access vector, and the attackers also encrypted and destroyed critical infrastructure, causing prolonged service outages. Additionally, the group has claimed responsibility for attacks on government domains, such as the Peruvian gob.pe portal and the Martinique government, and has targeted educational institutions ranging from K‑12 school districts to universities.

Representative campaigns illustrate the group’s operational scope: the July 2025 ransomware attack on Cookeville Regional Medical Center resulted in the theft of data affecting over 337 000 individuals, a ransom demand of ten bitcoin, and the eventual public release of the data when no buyer was found. The October 2023 compromise of the British Library involved exploitation of an unprotected Terminal Services server, the exfiltration of roughly 600 GB of staff and user data, the encryption and destruction of core systems, and a months‑long disruption of online services despite physical sites remaining open. In February 2025 the group claimed responsibility for ransomware incidents against a UK book printer and a London literary agency, causing operational disruption, financial strain on clients, and data‑exfiltration threats that were hampered by the attackers’ anti‑detection measures. Earlier incidents, such as the March 2025 claim against Peru’s government portal and the January 2024 attack on a Colorado healthcare nonprofit, further demonstrate the group’s willingness to target both public‑sector and private‑sector entities for financial gain.

Attribution information provided in the source material is limited to the group’s stated location in France; no explicit links to state sponsors, criminal consortia, or other threat‑actor affiliatures are disclosed. Consequently, any assessment of Rhysida’s broader alliances, sponsorship, or organizational size would be speculative and is therefore omitted. The available evidence portrays Rhysida as a financially motivated ransomware actor that conducts opportunistic, cross‑sector intrusions, leverages remote‑service weaknesses, employs data‑leak extortion, and utilizes anti‑forensic tactics to impede incident response.

Incidents
Attributed incidents available to members
13 incidents
Sources
Sources available to members
5 sources