The Rhysida ransomware-as-a-service (RaaS) group has swiftly transformed from an unknown entity to a well-established ransomware operation. Despite some incomplete features in its development, this group made a significant impact by launching a highly publicized attack on the Chilean Army at the end of May. This event reflects a growing trend of ransomware groups targeting government institutions in Latin America. Notably, on June 15, the Rhysida group leaked the stolen files from the Chilean Army, amplifying concerns about their capabilities and intentions.
The Rhysida ransomware is a 64-bit Portable Executable (PE) Windows application, created using the MINGW/GCC compiler. Analysis of various samples indicates that the program is still in its early stages of development, as evidenced by its program name, Rhysida-0.1. One notable feature of this ransomware tool is the presence of plain-text strings, which reveal the commands used for modifying the system's registry. To encrypt victim's files, Rhysida employs a robust 4096-bit RSA key in conjunction with the ChaCha20 algorithm, ensuring a high level of cryptographic security.
Rhysida Ransomware Signatures
Family: Ransom.Win64.RHYSIDA.THFOHBC
MD5: 1e256229b58061860be8dbf0dc4fe67e
SHA256: d5c2f87033a5baeeb1b5b681f2c4a156ff1c05ccd1bfdaf6eae019fc4d5320ee
Rhysida Ransomware Download
