Cisco Talos is aware of the recent advisory published by the U.S. Department of Health and Human Services (HHS) warning the healthcare industry about Rhysida ransomware activity.

As we've discussed recently, there has been huge growth in the ransomware and extortion space, potentially linked to the plethora of leaked builders and source code related to various ransomware cartels. This is just another example of how these groups can now quickly develop their own ransomware variants by standing on the shoulders of those criminals who had their previous work exposed publicly. Rhysida appears to have first popped up back in May, with several high-profile compromises posted on their leak site.

Rhysida ransomware details

As we commonly see in the ransomware space, this threat is delivered through a variety of mechanisms which can include phishing and being dropped as secondary payloads from command and control (C2) frameworks like Cobalt Strike. These frameworks are commonly delivered as part of traditional commodity malware, so infection chains can vary widely.

The group itself likes to pretend to be a cybersecurity organization as shown in the ransom note below. They claim to have compromised the company and are willing to help resolve the issue.  These types of approaches are not uncommon — historically, groups have done things like provide "security reports" to compromised organizations to help them "resolve the issue."

Sample ransom note.

The group appears to commonly deploy double extortion — of the victims that have been listed on the leak site, several of them have had some portion of their exfiltrated data exposed.

Encryption algorithm

Rhysida’s encryption algorithm is relatively straightforward and uses the ChaCha20 encryption algorithm. We have seen this algorithm deployed by other groups before, either as a standalone encryption algorithm or as part of a more custom approach. Rhysida will enumerate through directories and files in directories starting from “A:” to “Z:” drives, ensure they’re missing from the “exclude list” and then “process,” i.e., encrypt the files. Once encrypted, the file is then renamed to “<filename>.rhysida”.

Rhysida’s algorithm for “processing” files.

The file exclusion list maintained in Rhysida samples is most of the usual system directories required for the operating system to function:

Excluded folders.

Excluded extensions include:

.bat .bin .cab .cmd .com .cur .diagcab .diagcfg, .diagpkg .drv .dll .exe .hlp .hta .ico .lnk .msi .ocx .ps1 .psm1 .scr .sys .ini Thumbs.db .url .iso .cab

After encryption, the ransomware will display the ransom note by creating and opening it as a PDF and the background wallpaper. The PDF usually named  “CriticalBreachDetected.pdf” is generated using content embedded in the ransomware binary, including the skeleton PDF and the ransom note (shown above). The ransom note is also used to generate a message in the form of the background wallpaper typically located at “C:/Users/Public/bg.jpg”.

This new ransomware variant doesn't have any novel features or functionality and points to the challenges organizations are facing as the landscape continues to shift and a plethora of new actors join their ranks. This isn't even the only new ransomware group we've written about this week.


Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on

Cisco Talos is releasing the following Snort SIDs to protect against this threat: 62220 - 62229, 300653 - 300657.

Indicators of compromise