Rhysida is a relatively new but highly visible ransomware group, known for targeting healthcare, education, and public sector institutions, often under the guise of so-called "hacktivism."

Their communications frame attacks as exposing corruption or incompetence—a PR strategy designed to mask profit-driven extortion.

Despite the political posturing, Rhysida is a ransomware group like any other: it encrypts systems, exfiltrates data, and demands payment under the threat of public exposure. At STORM Guidance, we support organisations through attacks like these with expert-led incident response, data breach management, and resilience-building support.

How Rhysida Attacks Work

Rhysida’s ransomware has been deployed through various vectors, but most attacks follow a pattern:

• Initial access via phishing emails, compromised remote access services, or credential theft

• Lateral movement using PowerShell and common tools to escalate access

• Exfiltration and encryption of sensitive files, often targeting medical or government records

• Victims receive a ransom note and are listed on the Rhysida leak site, often alongside politically charged messaging

Their leak site presents a pseudo-ideological stance, but the goal is still clear: ransom payment.

Who Rhysida Targets

Rhysida has focused on:

• Healthcare providers, hospitals, and clinics

• Education institutions and local government bodies

• Public services in the UK, US, and Latin America

These targets are often underfunded in cybersecurity, yet hold highly sensitive data and face intense reputational risk if that data is exposed.

How to Protect Against Rhysida Ransomware

✅ Patch vulnerable remote access tools and third-party software

✅ Enforce multi-factor authentication on all external-facing services

✅ Monitor for unusual administrative behaviour across networks

✅ Regularly back up critical systems and store backups securely

✅ Train staff in phishing awareness, especially in high-risk departments

✅ Prepare breach response playbooks, especially for sensitive data scenarios

If You’ve Been Targeted by Rhysida

If your organisation has been attacked:

• Isolate affected systems immediately

• Preserve logs, ransom notes, and exfiltration indicators

• Assess what data may have been compromised and its regulatory impact

• Engage with a response team before deciding on payment or disclosure

STORM Guidance can assist with:

✔ Containment and recovery support

✔ Regulatory breach impact assessment

✔ Crisis communication strategy for sensitive sectors

✔ Expert ransom response advice

Rhysida: More Than Messaging

While Rhysida positions itself as a politically motivated actor, its tactics align squarely with criminal ransomware groups.

For healthcare providers, government departments, and education institutions, this group presents a dual threat: operational disruption and public trust erosion.

Understanding Rhysida means recognising the messaging, but responding to the real risks behind it. STORM Guidance is here to help you handle both—with confidence and control.

Immediate Response Available

If you’re under attack, contact STORM Guidance now.