Widely attributedUnknown
Rhysida
Ransomware-as-a-service group with links to Vice Society activity, known for attacks on healthcare and education sectors including the British Library. Operates double extortion model.
Attribution signal
?Score = mentions × confidence weight, summed across all attributed sources. Higher source diversity increases the score.≥ 10 High≥ 3 Moderate< 3 Low0.8
Low signal strength
Mentions2
Sources2
High conf.0
Last seenMay 2026
First observed
—
Last active
—
Origin
—
Aliases
3
Techniques
0
Campaigns
0
TargetsHealthcareEducationGovernment
RegionsGlobal
Attribution signals
2 mentions · 2 sources#1we assess with moderate confidencemoderate
InfrastructureMalware
cisco-talos
May 2026
"we attribute this activity with moderate confidence to Rhysida based on observed infrastructure that is associated with Rhysida activity and the use of Gootloader, which is commonly leveraged in Rhysida attacks during initial access."
#2unspecified
Malware
cyberscoop
May 2026
Hedge terms observed
we assess with moderate confidence