Day 35 of 100 in the 100 Days of Cyber Challenge
One of the top emerging threats in Ransomware as a Service (RaaS) is the Rhysida group. According to a joint bulletin from CISA and the FBI, the group has been operating since May 2023 and seeks targets in healthcare, government, education, manufacturing, and IT.
The most recent attack of significance happened in September 2025 affecting the Maryland Department of Transporation (MDOT) and Maryland Transportation Administration (MTA). It resulted in data loss which Rhysida claimed included driver’s license data, social security numbers, passport information and other sensitive data.
In response, MDOT/MTA recommended basic cybersecurity best practices: using MFA, avoiding clicking on suspicious links, updating software, and using more secure passwords.
Recent attacks include one against the Philadelphia workers’ comp/personal injury law firm Larry Pitt & Associates (19 December 2025) and another against Spanish radio station KISS FM back in November.
According to Trend Micro, Rhysida uses double extortion which not only includes encrypting data, but also releasing it publicly if ransom is not paid.
There are several steps involved. It starts with a phishing campaign, then moves to privilege escalation, recon, and finally the data exfiltration and ransomware activation.
Blackfog rates Rhysida as one of the top RaaS threats in 2025 and explains that their strategy is relatively simple as it takes advantage of common vulnerabilities. The report is a great resource for a summary of the attack group and action to be taken. Equally good is a report from Huntress, which believes the group is tied to Russia and may have support of the government there.
If Rhysida could be compared to a football team, it would be like a team that runs the ball up the middle a lot and gets 200 yards rushing a game: not the most sophisticated playbook, but effective.
If there was one alarming finding about analyzing Rhysida, it seems to be that organizations are doing a poor job of training employees in basic cybersecurity hygiene. The solution is to find out why. The fact that basic tactics are recommended as a response suggests that Rhysida attacks are preventable.
Is it because there is training and it is not getting through to most employees, or is it that there is no training at all, perhaps from organizations taking a “well it hasn’t happened to me” approach to security?
Had MDOT/MTA and other organizations used basic security techniques earlier, it’s less likely Rhysida would be among the top-ranked RaaS attacks in 2025.