Rhysida, Not Novel but Still Dangerous: DNS Revelations | WhoisXML API

Threat Reports

Rhysida, Not Novel but Still Dangerous: DNS Revelations

Rhysida is a new ransomware that has been reportedly plaguing users since August 2023. An in-depth analysis of the malware revealed that while it doesn’t have any new or very advanced features, it remains just as effective when it comes to holding victims’ data hostage.1

While Rhysida was last seen trailing its sights on healthcare and other government organizations in the U.S., its operators have also gone after the Chilean army.

A total of 53 indicators of compromise (IoCs) related to Rhysida ransomware attacks have been made public.2 To uncover other unidentified connected artifacts, the WhoisXML API research team trooped to the DNS and found:

  • 60 IP addresses to which 47 of the domains identified as IoCs resolved, eight of which are already being detected as malicious based on malware checks
  • 1,461 domains hosted on 44 dedicated IP addresses that could be part of Rhysida’s connected infrastructure, three of which turned out to be malicious based on a bulk malware check
  • 11,774 domains that contained strings found among some of the IoCs, 19 of which are already classified as malicious based on a bulk malware check

Download a sample of the threat research materials now or contact us to access the complete set of research materials.

[1] https://www.tripwire.com/state-of-security/rhysida-ransomware-what-you-need-know

[2] https://otx.alienvault.com/pulse/64f456a083a949def8dbe2a1

Try our WhoisXML API for free
Get started