Rhysida emerged in May 2023 and within six months had claimed some of the most disruptive ransomware attacks on public sector and healthcare targets in recent memory. The British Library attack in October 2023 — which destroyed much of the institution’s digital infrastructure and took over a year to fully recover from — remains one of the most visible examples of ransomware’s destructive capacity against cultural institutions. The group continues operating in 2026 with a consistent focus on under-resourced targets in healthcare, education, and public sector.
Group Profile
Rhysida operates as a ransomware-as-a-service (RaaS) platform. The operators provide the encryptor, leak site infrastructure, and ransom negotiation support; affiliates provide the intrusion capability. The group takes the standard 80/20 split common in the RaaS market, with affiliates retaining 80% of ransom proceeds.
The group’s leak site presents Rhysida as positioning itself as a “cybersecurity team” performing “penetration tests” on victims — a framing that has become meaningless as a distinction but is a recurring stylistic choice among RaaS operators seeking to avoid being perceived as indiscriminate.
Initial activity focused on South America and EMEA, but by late 2023 Rhysida was actively targeting US healthcare and education institutions. CISA and FBI issued a joint advisory on Rhysida in November 2023 (AA23-319A), citing exploitation of Citrix and VPN credentials as the predominant initial access vector.
Notable Victims
British Library (October 2023) — Rhysida attacked the British Library’s systems, encrypting servers and exfiltrating approximately 600 GB of internal data. The group demanded 20 bitcoin (approximately £600,000 at the time). The British Library declined to pay. Rhysida published the exfiltrated data on its leak site. The recovery process took over a year, cost an estimated £6 million, and required rebuilding much of the library’s IT infrastructure from scratch.
Lurie Children’s Hospital (January 2024) — One of the most significant healthcare ransomware incidents of 2024. Lurie Children’s Hospital in Chicago was forced to take its network offline for weeks, diverting emergency paediatric cases and delaying surgeries. The attack demonstrated the group’s willingness to target children’s hospitals — a targeting decision that attracted unusual levels of public attention.
Multiple NHS trusts (2024–2025) — Rhysida affiliates have targeted several NHS and NHS-adjacent organisations in the UK, consistent with the group’s preference for under-resourced healthcare institutions with legacy infrastructure.
Government of Kuwait (2023) — An early high-profile target demonstrating the group’s willingness to attack government institutions. Significant volumes of government documents were published on the leak site.
Technical Profile
Initial Access: The CISA advisory and subsequent DFIR investigations consistently point to Citrix Bleed (CVE-2023-4966) and exploitation of VPN credentials as the predominant initial access vectors in Rhysida intrusions. The group’s affiliates appear to buy access from initial access brokers or independently exploit external-facing VPN and remote access infrastructure.
Lateral Movement: Post-compromise tools commonly observed include:
- PsExec for lateral movement
- Cobalt Strike and Sliver implants for command-and-control
- Mimikatz and similar tools for credential harvesting
- RDP for administrative access across the environment
Encryptor: Rhysida uses a custom C++ encryptor that targets Windows systems primarily. The encryptor uses a combination of RSA-4096 (for key encryption) and AES-256-CTR (for file encryption). Encrypted files receive a .rhysida extension. The encryptor explicitly excludes a set of file types and folders to maintain system stability, following standard ransomware practice.
In August 2024, South Korean researchers published a decryptor based on a flaw in Rhysida’s random number generation — the PRNG was seeded with the system timestamp, allowing brute-force key recovery. Rhysida patched this flaw in subsequent encryptor versions. Victims encrypted with early variants (pre-patch, approximately before October 2024) may still be recoverable; victims encrypted with later versions are not.
Exfiltration: The group uses a combination of WinSCP and Rclone for bulk data exfiltration to attacker-controlled cloud storage. Exfiltration typically precedes encryption by several days during which the group maintains persistence across the environment.
Triple Extortion: Beyond the standard double extortion model (encrypt + threaten to publish), Rhysida has in several cases contacted the victims’ clients, partners, or regulators directly to increase pressure — a tactic that was subsequently adopted more widely in the RaaS ecosystem.
Defensive Guidance
Patch Citrix and VPN infrastructure promptly. Rhysida affiliates consistently exploit known vulnerabilities in external-facing remote access products. CVE-2023-4966 (Citrix Bleed) was the most exploited vulnerability in this group’s operations; more recent Citrix and Pulse Secure vulnerabilities have been observed in subsequent intrusions.
Implement phishing-resistant MFA on remote access. VPN credential theft is the other primary initial access vector. Hardware token or passkey-based MFA substantially reduces the value of stolen VPN credentials.
Monitor for Cobalt Strike and Sliver C2 beacons. These are consistent post-access tools in Rhysida intrusions. Endpoint detection for Cobalt Strike named pipes and memory artefacts should be active.
Segment backup infrastructure. Rhysida affiliates seek out and encrypt backup systems. Network segmentation and offline/immutable backup copies are essential for recovery capability.
For healthcare organisations specifically: apply the CISA/HHS joint advisory recommendations from AA23-319A, which include specific guidance for the healthcare sector on network segmentation, remote access security, and incident detection tuned for Rhysida TTPs.
Current Activity Level
Rhysida’s leak site continues to post new victims in 2026, with activity concentrated in healthcare, education, and public sector in North America and EMEA. The group’s victim frequency is lower than the largest RaaS platforms (RansomHub, Cl0p) but the average ransom demand per victim is substantial — typically $1–5 million for healthcare and large public sector targets — and the destructive impact of attacks on institutions with limited recovery capability has been disproportionate to the group’s overall scale.