Rhysida Ransomware Used In Attack On The Chilean Army

The threat actors behind one of the ransomware's newest kids on the block Rhysida have announced they will leak documents belonging to the Chilean Army. This comes after the Army confirmed that systems were impacted in a security incident detected over the weekend on May 27, 2023.

Rhysida Ransomware Used In Attack On The Chilean Army

Chilean cybersecurity firm CronUp provided further information regarding the attack and noted that the network was isolated following the breach, with military security experts starting the recovery process of affected systems around May 29, 2023.

Further, the incident has been reported to Chile's Computer Security Incident Response Team (CSIRT) of the Joint Chiefs of Staff and the Ministry of National Defense.

Only a few days later, there was to be an interesting revelation. Local media reported that an Army corporal was arrested and charged for his involvement in the ransomware attack.

As it stands, Rhysida claim to have released approximately 30% of the data stolen from the Army, which according to CronUp security researcher Germán Fernández amounts to approximately 360,000 Chilean Army documents, as reported in Bleeping Computers article.

Only a few days before the attack on the Chilean Army, Rhysida was discovered by MalwareHunterTeam. Subsequent research by Sentinel One revealed that threat actors behind the ransomware consider themselves a "cybersecurity team" who are doing their victims a favor by targeting their systems, thus highlighting the supposed potential ramifications of the involved security issues.

This is all done at a cost, of course, that being having data encrypted and dealing with subsequent extortion attempts threatening and releasing stolen data.

So not only does their service reveal security flaws, it facilitates the paying of a ransom which in itself funds crime, and the victim will have to pay further recovery costs down the line. In summary, this fallacy of being a security team is far less noble than they make it out to be.

Sentinel One researcher determined that the primary methods include Cobalt Strike, a penetration testing tool favored by malware developers for its ability to drop beacons that facilitate the dropping of ransomware on a compromised machine and through phishing campaigns.

Other deployment options remain available to the developers, including using frameworks similar to Cobalt Strike. Researchers further noted,

Analyzed samples of Rhysida ransomware indicate that the group is in the early stages of the development cycle. The payloads are missing many commodity features, such as VSS removal, that are synonymous with present-day ransomware. This said the group threatens victims with public distribution of the exfiltrated data, bringing them in line with modern-day multi-extortion groups.


When launched, Rhysida will display a cmd.exe window as it traverses all files on all local drives. Victims are instructed to contact the attackers via their TOR-based portal, utilizing their unique identifier provided in the ransom notes. Rhysida accepts payment in BTC (Bitcoin) only and provides victims with information on the purchase and use of BTC on the victim portal. Upon providing their unique ID to the payment portal, an additional form is provided allowing victims to provide more information to the attackers for authentication and contact detail purposes.

The Threat Posed from Inside Organisations

There is often a misconception that ransomware attacks are made by hackers wearing hoodies and masks and sitting in dark basements. The reality is not all attacks are facilitated by these shadowy figments of our imagination, if any.

Ransomware operations have evolved to include sophisticated networks of developers, affiliates, and those that specialize in gaining access to corporate networks, referred to as initial access brokers.

All get a piece of the pie when it comes to earnings generated from specific attacks. In this regard, initial access brokers have grown in popularity as they will have inside knowledge on how best to breach a target's defenses; this dramatically improves the chances of carrying out a successful attack where data is both exfiltrated and encrypted.

Unfortunately, often these are disgruntled employees of the victim or employees just wanting to make a quick buck. This is something ransomware admins are willing to pay top dollar for, as shown in this post by LockBit 2.0 admins on an underground hacker forum,

Would you like to earn millions of dollars? Our company acquires access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company…You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company. Companies pay us the foreclosure for the decryption of files and prevention of data leak.

In the above case involving the Chilean Army, where a corporal was arrested and charged for their suspected involvement, it might be that Rhysidia developers or admins are looking for those disgruntled employees uniquely placed to take advantage of having an agent on the inside, as it were.

Other scammers, including business email compromise scams also favor such tactics. It should be noted that it is easier to bring an employee involved in such attacks to justice than the scammer, who is often in a country where extradition is difficult or impossible.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal