Rhysida (also tracked as Vanilla Tempest [Microsoft] and MITRE ATT&CK G1052) is one of the more operationally consequential newer ransomware operations of the 2023-2024 period, a financially-motivated organized cyber-criminal cluster operating predominantly from Russia and adjacent post-Soviet states emerging in May 2023. The cluster has substantial documented tooling-and-victimology overlap with the older Vice Society ransomware operation (active approximately 2021-2023) and modern vendor consensus widely treats Rhysida as a Vice Society successor or personnel-overlap operation following Vice Society's apparent operational decline in mid-2023. The cluster's most operationally distinctive cluster signature is sustained healthcare-and-education-sector targeting emphasized in the CISA + FBI + MS-ISAC joint cybersecurity advisory AA23-319A (November 15, 2023), the most operationally significant US-government formal public attribution for the cluster.
The healthcare-and-education-sector focus represents a meaningful operational-doctrine signal about cluster victim- selection patterns and aligns with broader Vice Society / Rhysida ecosystem operational patterns. The cluster's most operationally consequential operations include: First, the Chilean Army attack (May 2023), earliest high- profile Rhysida operation with subsequent publication of approximately 360,000 internal Chilean Army documents. One of the most operationally consequential ransomware attacks against a national military in the publicly-tracked record.
Second, Prospect Medical Holdings (August 2023), US healthcare network operating 16+ hospitals across California, Connecticut, Pennsylvania, and Rhode Island with weeks of operational disruption including emergency departments on paper-based clinical workflows. Third, the Kuwait Ministry of Finance (September-October 2023), Kuwait government financial-administration IT disruption. Fourth, and most operationally consequential UK incident, the British Library attack (October 28, 2023).
The cluster attacked the British Library disrupting operations for months including its main website, online catalogues, on-site IT systems, and Wi-Fi services. The British Library publicly refused the approximately 600,000 GBP ransom demand, and Rhysida subsequently published approximately 600GB of internal British Library data on the Rhysida leak site. The attack was operationally consequential beyond the British Library itself because of substantial cascading impact on UK academic research community (the British Library serves as major UK research- library infrastructure).
The British Library subsequently published an unusually detailed public incident-disclosure report (March 2024) documenting full attack details, an operationally significant transparency model for public-sector victim response. Fifth, Insomniac Games / Sony PlayStation Studios (November- December 2023), high-profile entertainment-industry operation against the Sony Interactive Entertainment subsidiary video-game development studio. Approximately 1.6 terabytes of Insomniac Games internal data published on the Rhysida leak site including unreleased game development materials (notably extensive Marvel's Wolverine game development assets that had not been publicly disclosed by Sony), employee personal information, contracts, and financial information.
Sixth, Lurie Children's Hospital Chicago (January-February 2024), pediatric healthcare operations disrupted for weeks including delayed surgeries and rerouted patients. The cluster operates a distinctive helpdesk-themed leak site featuring customer-service-style branding, operationally novel relative to peer ransomware leak sites and contributing to elevated public-recognition profile. The branding choice is consistent with broader contemporary ransomware-cluster pattern of distinctive leak-site aesthetic (Akira's retro 1988 green- text styling, ALPHV / BlackCat's Tor-based clear-web-indexing, Medusa's ransom-countdown timers, collectively representing cluster-level investment in public-facing branding as marketing dimension).
Operationally the cluster's initial-access tradecraft centers on spear-phishing with weaponized attachments, VPN credential stuffing against MFA-less VPN authentication endpoints, RDP credential theft from underground marketplaces and infostealer deployments, and selective exploitation of disclosed n-day vulnerabilities. The cluster operates Linux + ESXi ransomware variants alongside the Windows variant. A handful of operational notes: First, the cluster's Vice Society successor relationship is one of the better-documented examples of ransomware-cluster-personnel- reorganization-under-new-brand in the publicly-tracked record.
Vice Society (active approximately 2021-2023) was documented under CISA + FBI + MS-ISAC + UK NCSC AA22-249A advisory (September 6, 2022) for sustained education-sector targeting; the Rhysida successor brand has continued the sector-targeting focus while operating substantially-modified tooling and operational branding. Second, the British Library's March 2024 public incident- disclosure report represents an operationally significant transparency model for public-sector victim response. The detailed disclosure, including the cluster's initial-access vector, the operational impact assessment, the recovery costs, and the decision-making process around ransom refusal, provides defender and policy-maker reference material that contrasts with the conventional silent-incident-response approach.
The British Library model contributes to broader analytical questions about whether systematic public-disclosure patterns could undermine ransomware operational viability over time. Third, no formal individual-operator attribution at the named- Russian-national tier has been publicly issued for Rhysida administrators, consistent with the broader pattern of absence of similar named-individual-attribution for Cl0p, ALPHV / BlackCat, Black Basta, Akira, Play, Medusa, and several other contemporary cybercrime clusters. Only LockBit (Khoroshev), Evil Corp (Yakubets / Turashev), and FIN7 (Dunaev / Hladyr / Kolpakov / Witte) have received named-Russian-national-tier formal attribution among the major contemporary cybercrime clusters covered in this corpus.
Fourth, the healthcare-and-education-sector targeting pattern represents operationally significant defender threat-modeling guidance. Healthcare and education sector organizations consistently face under-resourced cybersecurity programs relative to other comparable verticals, making them disproportionately attractive victim categories for ransomware operations like Rhysida and Vice Society predecessor. Defender threat-modeling for these sectors should treat ransomware as primary threat category requiring substantial resource allocation comparable to other comparable verticals.