An Overview of the New Rhysida Ransomware<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\">\n<link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendmicro\/clientlibs\/trendmicro-core-2\/clientlibs\/header-footer.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/h\/an-overview-of-the-new-rhysida-ransomware.html\"> \n<meta property=\"og:title\" content=\"An Overview of the New Rhysida Ransomware\"> \n<meta property=\"og:description\" content=\"In this blog entry, we will provide details on Rhysida, including its targets and what we know about its infection chain.\"> \n<meta property=\"og:site_name\" content=\"Trend Micro\"> \n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/Rhysida-Cover.jpg\"> \n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> \n<meta name=\"twitter:site\" content=\"@TrendMicro\"> \n<meta name=\"twitter:title\" content=\"An Overview of the New Rhysida Ransomware\"> \n<meta name=\"twitter:description\" content=\"In this blog entry, we will provide details on Rhysida, including its targets and what we know about its infection chain.\"> \n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/Rhysida-Cover.jpg\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"50.429408842524\">  <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <\/span> <\/a>  <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"374854164\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"8.7235494880546\">\n<div class=\"article-details\" role=\"heading\" readability=\"36.832764505119\"> <\/span> <\/p>\nRansomware<\/p>\nIn this blog entry, we will provide details on Rhysida, including its targets and what we know about its infection chain.<\/p>\nBy: Trend Micro Research <time class=\"article-details__date\">August 09, 2023<\/time> Read time: <\/span><\/span> (<\/span> words) <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-lg-8 col-lg-push-2\"> <\/p>\n<div class=\"richText\" readability=\"48.023796033994\">\n<div readability=\"44.257223796034\">\nOn August 4, 2023, the HHS\u2019 Health Sector Cybersecurity Coordination Center (HC3) <a href=\"https:\/\/www.hhs.gov\/sites\/default\/files\/rhysida-ransomware-sector-alert-tlpclear.pdf\">released a security alert<\/a> about a relatively new <a href=\"https:\/\/www.trendmicro.com\/vinfo\/ph\/security\/definition\/Ransomware\">ransomware<\/a> called Rhysida (detected as <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/threat-encyclopedia\/malware\/Ransom.PS1.RHYSIDA.SM\/\">Ransom.PS1.RHYSIDA.SM<\/a>), which has been active since May 2023. In this blog entry, we will provide details on Rhysida, including its targets and what we know about its infection chain.<\/p>\nNot much is currently known about the threat actors behind Rhysida in terms of origin or affiliations. According to the HC3 alert, Rhysida poses itself as a \u201ccybersecurity team\u201d that offers to assist victims in finding security weaknesses within their networks and system. In fact, the group\u2019s first appearance involved the use of a victim chat support portal.<\/p>\nAs mentioned earlier, Rhysida, which was previously known for targeting the education, government, manufacturing, and tech industries, among others \u2014 has begun conducting attacks on healthcare and public health organizations. The healthcare industry has seen an <a href=\"https:\/\/www.fiercehealthcare.com\/health-tech\/new-jama-study-scrapes-dark-web-find-true-frequency-healthcare-ransomware-attacks\">increasing number of ransomware attacks<\/a> over the past five years. This includes a recent <a href=\"https:\/\/www.nytimes.com\/2023\/08\/05\/us\/cyberattack-hospitals-california.html\">incident<\/a> involving Prospect Medical Holdings, a California-based healthcare system, that occurred in early August (although the group behind the attack has yet to be named as of writing).<\/p>\nData from Trend Micro\u2122 Smart Protection Network\u2122 (SPN) shows a similar trend, where detections from May to August 2023 show that its operators are targeting multiple industries rather than focusing on just a single sector.<\/p>\nThe threat actor also targets organizations around the world, with SPN data showing several countries where Rhysida binaries were detected, including Indonesia, Germany, and the United States.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"2d7e51\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/h\/an-overview-of-the-new-rhysida-ransomware-targeting-the-healthcare-sector\/rhysida-bar-chart01.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/h\/an-overview-of-the-new-rhysida-ransomware-targeting-the-healthcare-sector\/rhysida-bar-chart01.jpg\" alt=\"Figure 1. The industry and country detection count for Rhysida ransomware based on Trend SPN data from May to August 2023\"> <\/a> <\/figure>\n<\/p><\/div>\n<div readability=\"6.8740337092891\">\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"084e4f\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/h\/an-overview-of-the-new-rhysida-ransomware-targeting-the-healthcare-sector\/rhysida-bar-chart02.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/h\/an-overview-of-the-new-rhysida-ransomware-targeting-the-healthcare-sector\/rhysida-bar-chart02.jpg\" alt=\"Figure 1. The industry and country detection count for Rhysida ransomware based on Trend SPN data from May to August 2023\"> <\/a><figcaption>Figure 1. The industry and country detection count for Rhysida ransomware based on Trend SPN data from May to August 2023<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31\">\n<div readability=\"7\">\nHow does a Rhysida attack proceed?<\/span><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"a0973e\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/h\/an-overview-of-the-new-rhysida-ransomware-targeting-the-healthcare-sector\/rhysida-infection-chain.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/h\/an-overview-of-the-new-rhysida-ransomware-targeting-the-healthcare-sector\/rhysida-infection-chain.jpg\" alt=\"Figure 2. The Rhysida ransomware infection chain\"> <\/a><figcaption>Figure 2. The Rhysida ransomware infection chain<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"45.5\">\n<div readability=\"36\">\nRhysida ransomware usually arrives on a victim\u2019s machine via phishing lures, after which Cobalt Strike is used for lateral movement within the system.<\/p>\nAdditionally, our telemetry shows that the threat actors execute PsExec to deploy PowerShell scripts and the Rhysida ransomware payload itself. The PowerShell script (g.ps1), detected as Trojan.PS1.SILENTKILL.A, is used by the threat actors to terminate antivirus-related processes and services, delete shadow copies, modify remote desktop protocol (RDP) configurations, and change the active directory (AD) password.<\/p>\nInterestingly, it appears that the script (g.ps1) was updated by the threat actors during execution, eventually leading us to a PowerShell version of the Rhysida ransomware.<\/p>\nRhysida ransomware employs a 4096-bit RSA key and ChaCha20 for file encryption. After successful encryption, it appends the .rhysida extension and drops the ransom note CriticalBreachDetected.pdf.<\/p>\nThis ransom note is fairly unusual \u2014 instead of an outright ransom demand as seen in most ransom notes from other ransomware families, the Rhysida ransom note is presented as an alert from the Rhysida \u201ccybersecurity team\u201d notifying victims that their system has been compromised and their files encrypted. The ransom demand comes in the form of a \u201cunique key\u201d designed to restore encrypted files, which must be paid for by the victim.<\/p>\n<h2>Summary of malware and tools used by Rhysida<\/span><\/h2>\n<ul>\n<li>Malware: RHYSIDA, SILENTKILL, Cobalt Strike<\/span><\/li>\n<li>Tools: PsExec<\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div>\n<table cellpadding=\"1\" cellspacing=\"1\" border=\"1\" width=\"100%\">\n<tbody readability=\"6.5\">\n<tr readability=\"3\">\n<td>Initial Access<\/b><\/td>\n<td>Phishing<\/b><\/td>\n<td>Based on external reports, Rhysida uses phishing lures for initial access<\/b><\/td>\n<\/tr>\n<tr readability=\"2\">\n<th scope=\"row\" rowspan=\"2\">Lateral Movement<\/b><\/th>\n<td>PsExec<\/b><\/td>\n<td>Microsoft tool used for remote execution<\/b><\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>Cobalt Strike<\/b><\/td>\n<td>3rd<\/sup> party tool abused for lateral movement<\/b><\/td>\n<\/tr>\n<tr readability=\"6\">\n<th scope=\"row\">Defense Evasion<\/b><\/th>\n<td>SILENTKILL<\/b><\/td>\n<td>Malware deployed to terminate AV-related processes and services, delete shadow copies, modify RDP configurations, and change the AD password<\/b><\/td>\n<\/tr>\n<tr>\n<th scope=\"row\">Impact<\/b><\/th>\n<td>Rhysida ransomware<\/b><\/td>\n<td>Ransomware encryption<\/b><\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34\">\n<h5>Table 1. A summary of the malware, tools, and exploits used by Rhysida<\/h5>\n<\/p><\/div>\n<div class=\"richText\" readability=\"35\">\n<div readability=\"15\">\nAlthough we are still in the process of fully analyzing Rhysida ransomware and its tools, tactics, and procedures (TTPs), the best practices for defending against ransomware attacks still holds true for Rhysida and other ransomware families.<\/p>\nHere are several recommended measures that organizations implement to safeguard their systems from ransomware attacks:<\/p>\n<ul>\n<li>Create an inventory of assets and data<\/span><\/li>\n<li>Review event and incident logs<\/span><\/li>\n<li>Manage hardware and software configurations.<\/span><\/li>\n<li>Grant administrative privileges and access only when relevant to an employee’s role and responsibilities.<\/span><\/li>\n<li>Enforce security configurations on network infrastructure devices like firewalls and routers.<\/span><\/li>\n<li>Establish a software whitelist permitting only legitimate applications<\/span><\/li>\n<li>Perform routine vulnerability assessments<\/span><\/li>\n<li>Apply patches or virtual patches for operating systems and applications<\/span><\/li>\n<li>Keep software and applications up to date using their latest versions<\/span><\/li>\n<li>Integrate data protection, backup, and recovery protocols<\/span><\/li>\n<li>Enable multifactor authentication (MFA) mechanisms<\/span><\/li>\n<li>Utilize sandbox analysis to intercept malicious emails<\/span><\/li>\n<li>Regularly educate and evaluate employees’ security aptitude<\/span><\/li>\n<\/ul>\n<h2><\/span><\/h2>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div>\n<table cellpadding=\"1\" cellspacing=\"1\" border=\"1\" width=\"100%\">\n<tbody readability=\"12\">\n<tr>\n<td>SHA1<\/b><\/td>\n<td>Detection name<\/b><\/td>\n<\/tr>\n<tr readability=\"4\">\n<td height=\"61\" width=\"159\">69b3d913a3967153d1e91ba1a31ebed839b297ed<\/b><\/td>\n<td width=\"159\">Ransom.Win64.RHYSIDA.THEBBBC <\/b><\/td>\n<\/tr>\n<tr readability=\"4\">\n<td height=\"58\" width=\"159\">338d4f4ec714359d589918cee1adad12ef231907<\/b><\/td>\n<td width=\"159\">Ransom.Win64.RHYSIDA.THFOHBC <\/b><\/td>\n<\/tr>\n<tr readability=\"4\">\n<td height=\"58\" width=\"159\">b07f6a5f61834a57304ad4d885bd37d8e1badba8 <\/b><\/td>\n<td width=\"159\">Ransom.Win64.RHYSIDA.SM <\/b><\/td>\n<\/tr>\n<tr readability=\"4\">\n<td height=\"58\" width=\"159\">7abc07e7f56fc27130f84d1c7935a0961bd58cb9 <\/b><\/td>\n<td width=\"159\">TrojanSpy.Win32.INVICTASTEALER.A <\/b><\/td>\n<\/tr>\n<tr readability=\"4\">\n<td height=\"58\" width=\"159\">2543857b275ea5c6d332ab279498a5b772bd2bd4 <\/b><\/td>\n<td width=\"159\">TrojanSpy.Win32.INVICTASTEALER.A <\/b><\/td>\n<\/tr>\n<tr readability=\"4\">\n<td height=\"58\" width=\"159\">eda3a5b8ec86dd5741786ed791d43698bb92a262 <\/b><\/td>\n<td width=\"159\">Trojan.LNK.DOWNLOADER.AA <\/b><\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div>\nMITRE ATT&CK Matrix<\/span><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div>\n<table cellpadding=\"1\" cellspacing=\"1\" border=\"1\" width=\"100%\">\n<tbody readability=\"25\">\n<tr readability=\"3\">\n<td>Initial Access<\/b><\/td>\n<td>T1566 Phishing<\/b><\/td>\n<td>Based on external reports, Rhysida uses phishing lures for initial access.<\/b><\/td>\n<\/tr>\n<tr readability=\"4\">\n<td rowspan=\"2\">Execution<\/b><\/td>\n<td>T1059.003 Command and Scripting Interpreter: Windows Command Shell<\/b><\/td>\n<td>It uses cmd.exe to execute commands for execution.<\/b><\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>T1059.001 Command and Scripting Interpreter: PowerShell<\/b><\/td>\n<td>It uses PowerShell to create scheduled task named Rhsd<\/i> pointing to the ransomware.<\/b><\/td>\n<\/tr>\n<tr readability=\"6\">\n<td>Persistence<\/b><\/td>\n<td>T1053.005 Scheduled Task\/Job: Scheduled Task<\/b><\/td>\n<td>When executed with the argument -S, it will create a scheduled task named Rhsd<\/i> that will execute the ransomware<\/b><\/td>\n<\/tr>\n<tr readability=\"5\">\n<td rowspan=\"2\">Defense Evasion<\/b><\/td>\n<td>T1070.004 Indicator Removal: File Deletion<\/b><\/td>\n<td>Rhysida ransomware deletes itself after execution. The scheduled task (Rhsd) created would also be deleted after execution.<\/b><\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>T1070.001 Indicator Removal: Clear Windows Event Logs<\/b><\/td>\n<td>It uses wevtutil.exe to clear Windows event logs.<\/b><\/td>\n<\/tr>\n<tr readability=\"5\">\n<td rowspan=\"2\">Discovery<\/b><\/td>\n<td>T1083 File and Directory Discovery<\/b><\/td>\n<td readability=\"5\">\nIt enumerates and looks for files to encrypt in all local drives.<\/b><\/p>\n<\/td>\n<\/tr>\n<tr readability=\"5\">\n<td>T1082 System Information Discovery<\/b><\/td>\n<td valign=\"top\" readability=\"5\">\nObtains the following information:<\/b><\/p>\n<ul>\n<li>Number of processors<\/span><\/b><\/li>\n<li>System information<\/span><\/b><\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td rowspan=\"3\">Impact<\/b><\/td>\n<td>T1490 Inhibit System Recovery<\/b><\/td>\n<td>It executes uses vssadmin to remove volume shadow copies<\/b><\/td>\n<\/tr>\n<tr readability=\"13\">\n<td>T1486 Data Encrypted for Impact<\/b><\/td>\n<td valign=\"top\" readability=\"15\">\nIt uses a 4096-bit RSA key and Cha-cha20 for file encryption.<\/b><\/p>\nIt avoids encrypting files with the following strings in their file name:<\/b><\/p>\n<ul>\n<li>.bat<\/span><\/b><\/li>\n<li>.bin<\/span><\/b><\/li>\n<li>.cab<\/span><\/b><\/li>\n<li>.cmd<\/span><\/b><\/li>\n<li>.com<\/span><\/b><\/li>\n<li>.cur<\/span><\/b><\/li>\n<li>.diagcab<\/span><\/b><\/li>\n<li>.diagcfg<\/span><\/b><\/li>\n<li>.diagpkg<\/span><\/b><\/li>\n<li>.drv<\/span><\/b><\/li>\n<li>.dll<\/span><\/b><\/li>\n<li>.exe<\/span><\/b><\/li>\n<li>.hlp<\/span><\/b><\/li>\n<li>.hta<\/span><\/b><\/li>\n<li>.ico<\/span><\/b><\/li>\n<li>.msi<\/span><\/b><\/li>\n<li>.ocx<\/span><\/b><\/li>\n<li>.ps1<\/span><\/b><\/li>\n<li>.psm1<\/span><\/b><\/li>\n<li>.scr<\/span><\/b><\/li>\n<li>.sys<\/span><\/b><\/li>\n<li>.ini<\/span><\/b><\/li>\n<li>.Thumbs.db<\/span><\/b><\/li>\n<li>.url<\/span><\/b><\/li>\n<li>.iso<\/span><\/b><\/li>\n<\/ul>\nIt avoids encrypting files found in the following folders:<\/b><\/p>\n<ul>\n<li>$Recycle.Bin<\/span><\/b><\/li>\n<li>Boot<\/span><\/b><\/li>\n<li>Documents and Settings<\/span><\/b><\/li>\n<li>PerfLogs<\/span><\/b><\/li>\n<li>ProgramData<\/span><\/b><\/li>\n<li>Recovery<\/span><\/b><\/li>\n<li>System Volume Information<\/span><\/b><\/li>\n<li>Windows<\/span><\/b><\/li>\n<li>$RECYCLE.BIN<\/span><\/b><\/li>\n<li>ApzData<\/span><\/b><\/li>\n<\/ul>\nIt appends the following extension to the file name of the encrypted files:<\/b><\/p>\nIt encrypts all system drives from A to Z.<\/b><\/p>\nIt drops the following ransom note:<\/b><\/p>\n<ul>\n<li>{Encrypted Directory}\\CriticalBreachDetected.pdf<\/span><\/b><\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr readability=\"5\">\n<td>T1491.001 Defacement: Internal Defacement<\/b><\/td>\n<td>It changes the desktop wallpaper after encryption and prevents the user from changing it back by modifying the NoChangingWallpaper registry value.<\/b><\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div>\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\">\n<tbody readability=\"12\">\n<tr readability=\"2\">\n<td>Trend Micro solutions<\/b><\/td>\n<td>Detection Patterns \/ Policies \/ Rules<\/b><\/td>\n<\/tr>\n<tr readability=\"6\">\n<td>\n<ul>\n<li>Trend Micro Apex One<\/span><\/li>\n<li>Trend Micro Deep Security<\/span><\/li>\n<li>Trend Micro Titanium Internet Security<\/span><\/li>\n<li>Trend Micro Cloud One Workload Security <\/span><\/li>\n<li>Trend Micro Worry-Free Business Security Services<\/span><\/li>\n<\/ul>\n<\/td>\n<td>\n<ul>\n<li>Ransom.Win64.RHYSIDA.SM<\/span><\/li>\n<li>Ransom.Win64.RHYSIDA.THEBBBC<\/span><\/li>\n<li>Ransom.Win64.RHYSIDA.THFOHBC<\/span><\/li>\n<li>Trojan.PS1.SILENTKILL.SMAJC<\/span><\/li>\n<li>Trojan.PS1.SILENTKILL.A<\/span><\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td>\n<ul>\n<li>Trend Micro Apex One<\/span><\/li>\n<li>Trend Micro Deep Security<\/span><\/li>\n<li>Trend Micro Worry-Free Business Security Services<\/span><\/li>\n<li>Trend Micro Titanium Internet Security <\/span> <\/li>\n<\/ul>\n<\/td>\n<td>\n<ul>\n<li>RAN4056T<\/span><\/li>\n<li>RAN4052T<\/span><\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr readability=\"8\">\n<td>\n<ul>\n<li>Trend Micro Apex One<\/span><\/li>\n<li>Trend Micro Deep Discovery Web Inspector<\/span><\/li>\n<\/ul>\n<\/td>\n<td>\nPsExec<\/b><\/p>\n<ul>\n<li>SMB_Client_NEW – Rule 597,1847<\/span><\/li>\n<li>SMB2_PSEXEC_RENAMED_SERVICE_REQUEST – 4524<\/span><\/li>\n<li>SMB2_PSEXEC_CLONE_REQUEST – 4466<\/span><\/li>\n<li>SMB2_NAMED_PIPE_REQUEST_SB – 4571<\/span><\/li>\n<\/ul>\nCobalt Strike & Cobeacon<\/b><\/p>\n<ul>\n<li>DNS_COBALTSTRIKE_RESPONSE – 4570<\/span><\/li>\n<li>HTTP_COBALTSTRIKE_RESPONSE – 4152<\/span><\/li>\n<li>HTTP_COBALTSRIKE_RESPONSE.APT – 4469<\/span><\/li>\n<li>HTTP_COBALTSTRIKE_REQUEST-3 – 4594<\/span><\/li>\n<li>HTTP_COBALTSTRIKE_REQUEST-2 – 4153<\/span><\/li>\n<li>HTTP_COBALTSTRIKE_REQUEST – 2341<\/span><\/li>\n<li>HTTPS_COBALTSTRIKE_REQUEST – 4390<\/span><\/li>\n<li>SMB2_COBEACON_DEFAULT_NAMED_PIPE_REQUEST – 4870<\/span><\/li>\n<li>DNS_COBEACON_RESPONSE-3 – 4861<\/span><\/li>\n<li>DNS_COBEACON_RESPONSE-2 – 4860<\/span><\/li>\n<li>DNS_COBEACON_RESPONSE – 4391<\/span><\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr readability=\"5\">\n<td>\n<ul>\n<li>Trend Micro Apex One<\/span><\/li>\n<li>Trend Micro Deep Security <\/span><\/li>\n<li>Trend Micro Worry-Free Business Security Services<\/span><\/li>\n<li>Trend Micro Titanium Internet Security<\/span><\/li>\n<li>Trend Micro CloudEdge<\/span><\/li>\n<\/ul>\n<\/td>\n<td>\n<ul>\n<li>Troj.Win32.TRX.XXPE50FFF071<\/span><\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<h2><\/span><\/h2>\nTrend Vision One customers can use the following hunting query to search for Rhysida within their system:<\/p>\nprocessCmd:”powershell.exe*\\\\*$\\?.ps1″ OR (processCmd:”?:\\?$\\??.bat” AND objectFilePath:”?:\\?$\\PSEXEC.exe”)<\/span><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\nTags<\/p>\n<\/section>\n <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n   <\/p>\n sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n   <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/h\/an-overview-of-the-new-rhysida-ransomware.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"In this blog entry, we will provide details on Rhysida, including its targets and what we know about its infection chain. Read More HERE…<\/p>\n","protected":false},"author":2,"featured_media":53141,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9508,9539,9509],"class_list":["post-53140","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-endpoints","tag-trend-micro-research-ransomware","tag-trend-micro-research-research"],"yoast_head":"\n<title>An Overview of the New Rhysida Ransomware Targeting the Healthcare Sector 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/an-overview-of-the-new-rhysida-ransomware-targeting-the-healthcare-sector\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"An Overview of the New Rhysida Ransomware Targeting the Healthcare Sector 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/an-overview-of-the-new-rhysida-ransomware-targeting-the-healthcare-sector\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2023-08-09T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/Rhysida-Cover-1:Large?qlt=80\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/an-overview-of-the-new-rhysida-ransomware-targeting-the-healthcare-sector\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/an-overview-of-the-new-rhysida-ransomware-targeting-the-healthcare-sector\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"An Overview of the New Rhysida Ransomware Targeting the Healthcare Sector\",\"datePublished\":\"2023-08-09T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/an-overview-of-the-new-rhysida-ransomware-targeting-the-healthcare-sector\/\"},\"wordCount\":1411,\"publisher\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/an-overview-of-the-new-rhysida-ransomware-targeting-the-healthcare-sector\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/08\/an-overview-of-the-new-rhysida-ransomware-targeting-the-healthcare-sector.jpg\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Endpoints\",\"Trend Micro Research : Ransomware\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/an-overview-of-the-new-rhysida-ransomware-targeting-the-healthcare-sector\/\",\"url\":\"https:\/\/www.threatshub.org\/blog\/an-overview-of-the-new-rhysida-ransomware-targeting-the-healthcare-sector\/\",\"name\":\"An Overview of the New Rhysida Ransomware Targeting the Healthcare Sector 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/an-overview-of-the-new-rhysida-ransomware-targeting-the-healthcare-sector\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/an-overview-of-the-new-rhysida-ransomware-targeting-the-healthcare-sector\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/08\/an-overview-of-the-new-rhysida-ransomware-targeting-the-healthcare-sector.jpg\",\"datePublished\":\"2023-08-09T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/an-overview-of-the-new-rhysida-ransomware-targeting-the-healthcare-sector\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.threatshub.org\/blog\/an-overview-of-the-new-rhysida-ransomware-targeting-the-healthcare-sector\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/an-overview-of-the-new-rhysida-ransomware-targeting-the-healthcare-sector\/#primaryimage\",\"url\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/08\/an-overview-of-the-new-rhysida-ransomware-targeting-the-healthcare-sector.jpg\",\"contentUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/08\/an-overview-of-the-new-rhysida-ransomware-targeting-the-healthcare-sector.jpg\",\"width\":1469,\"height\":1036},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/an-overview-of-the-new-rhysida-ransomware-targeting-the-healthcare-sector\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.threatshub.org\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"An Overview of the New Rhysida Ransomware Targeting the Healthcare Sector\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#website\",\"url\":\"https:\/\/www.threatshub.org\/blog\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\/\/www.threatshub.org\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n","yoast_head_json":{"title":"An Overview of the New Rhysida Ransomware Targeting the Healthcare Sector 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/an-overview-of-the-new-rhysida-ransomware-targeting-the-healthcare-sector\/","og_locale":"en_US","og_type":"article","og_title":"An Overview of the New Rhysida Ransomware Targeting the Healthcare Sector 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/an-overview-of-the-new-rhysida-ransomware-targeting-the-healthcare-sector\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2023-08-09T00:00:00+00:00","og_image":[{"url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/Rhysida-Cover-1:Large?qlt=80","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/an-overview-of-the-new-rhysida-ransomware-targeting-the-healthcare-sector\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/an-overview-of-the-new-rhysida-ransomware-targeting-the-healthcare-sector\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"An Overview of the New Rhysida Ransomware Targeting the Healthcare Sector","datePublished":"2023-08-09T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/an-overview-of-the-new-rhysida-ransomware-targeting-the-healthcare-sector\/"},"wordCount":1411,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/an-overview-of-the-new-rhysida-ransomware-targeting-the-healthcare-sector\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/08\/an-overview-of-the-new-rhysida-ransomware-targeting-the-healthcare-sector.jpg","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Endpoints","Trend Micro Research : Ransomware","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/an-overview-of-the-new-rhysida-ransomware-targeting-the-healthcare-sector\/","url":"https:\/\/www.threatshub.org\/blog\/an-overview-of-the-new-rhysida-ransomware-targeting-the-healthcare-sector\/","name":"An Overview of the New Rhysida Ransomware Targeting the Healthcare Sector 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/an-overview-of-the-new-rhysida-ransomware-targeting-the-healthcare-sector\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/an-overview-of-the-new-rhysida-ransomware-targeting-the-healthcare-sector\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/08\/an-overview-of-the-new-rhysida-ransomware-targeting-the-healthcare-sector.jpg","datePublished":"2023-08-09T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/an-overview-of-the-new-rhysida-ransomware-targeting-the-healthcare-sector\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/an-overview-of-the-new-rhysida-ransomware-targeting-the-healthcare-sector\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/an-overview-of-the-new-rhysida-ransomware-targeting-the-healthcare-sector\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/08\/an-overview-of-the-new-rhysida-ransomware-targeting-the-healthcare-sector.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/08\/an-overview-of-the-new-rhysida-ransomware-targeting-the-healthcare-sector.jpg","width":1469,"height":1036},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/an-overview-of-the-new-rhysida-ransomware-targeting-the-healthcare-sector\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"An Overview of the New Rhysida Ransomware Targeting the Healthcare Sector"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/53140","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=53140"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/53140\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/53141"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=53140"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=53140"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=53140"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":53140,"date":"2023-08-09T00:00:00","date_gmt":"2023-08-09T00:00:00","guid":{"rendered":"urn:uuid:952e7f1e-f419-c1b9-276e-87fe68d6327f"},"modified":"2023-08-09T00:00:00","modified_gmt":"2023-08-09T00:00:00","slug":"an-overview-of-the-new-rhysida-ransomware-targeting-the-healthcare-sector","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/an-overview-of-the-new-rhysida-ransomware-targeting-the-healthcare-sector\/","title":{"rendered":"An Overview of the New Rhysida Ransomware Targeting the Healthcare Sector"},"content":{"rendered":"