Back to Intelligence

Rhysida Ransomware: Cookeville Medical Center Breach Detection and Containment

SA
Security Arsenal Team
April 17, 2026
6 min read

On October 21, 2025, Cookeville Regional Medical Center (CRMC) in Tennessee disclosed a significant cybersecurity incident impacting over 337,000 patients. The attack, identified as a Rhysida ransomware operation, occurred in July 2025 and resulted in the encryption of critical systems and the exfiltration of sensitive Protected Health Information (PHI).

For healthcare defenders, this breach is a stark reminder of the "double-extortion" model employed by actors like Rhysida. It is not merely about business continuity; it is a life-safety issue involving patient data integrity. This analysis breaks down the Rhysida TTPs (Tactics, Techniques, and Procedures) relevant to this incident and provides actionable detection and remediation guidance to secure healthcare environments.

Technical Analysis

Threat Actor: Rhysida (aka Storm-0176) Attack Type: Double-extortion Ransomware (AES-256 encryption + Data Exfiltration) Sector: Healthcare (HIPAA Regulated Entity)

Attack Chain and Mechanics

Based on the known behavior of the Rhysida group and the details of the CRMC incident, the attack lifecycle follows a predictable pattern that defenders must be able to identify at multiple stages:

  1. Initial Access: While the specific vector for CRMC was not fully detailed in the disclosure, Rhysida historically leverages:

    • External Facing Vulnerabilities: Exploitation of unpatched VPN appliances (e.g., Citrix NetScaler/ADC CVE-2023-4966 or Fortinet FortiOS CVE-2024-21762).
    • Phishing: Credential harvesting via malicious ISO attachments.

  2. Execution & Persistence: Upon gaining access, Rhysida operators typically deploy legitimate administrative tools (like PowerShell or remote management software) for discovery. They often utilize PsExec or WMI for lateral movement.

  3. Exfiltration: Prior to encryption, data is staged and exfiltrated using tools like Rclone or Mega.io. This is the critical leverage point for the "double-extortion" tactic.

  4. Encryption: The payload, often a 64-bit Windows executable or a PowerShell script, encrypts files using AES-256.

    • File Extension: Encrypted files are appended with the .rhysida extension.
    • Ransom Note: The threat actor drops a ransom note typically named CriticalBreach.htm in every directory containing encrypted files. This note contains the link to the Tor negotiation site.

Exploitation Status

Active exploitation by Rhysida is currently widespread across critical infrastructure. This is not a theoretical threat; it is an active campaign targeting healthcare entities specifically due to the high value of PHI and the operational pressure to restore services.

Detection & Response

The following detection rules focus on the unique artifacts of the Rhysida payload: the .rhysida file extension and the specific CriticalBreach.htm ransom note. While general "ransomware" rules exist, these high-fidelity indicators reduce noise and confirm the specific actor involvement.

Sigma Rules

YAML
---
title: Rhysida Ransomware - CriticalBreach.htm Note Creation
id: 9c1e8f7d-a2b4-4c8d-9e1f-3a5b6c7d8e9f
status: experimental
description: Detects the creation of the specific HTML ransom note used by Rhysida ransomware, indicating active encryption operations.
references:
  - https://www.infosecurity-magazine.com/news/cookeville-medical-center-data/
author: Security Arsenal
date: 2025/10/22
tags:
  - attack.impact
  - attack.t1486
logsource:
  category: file_creation
  product: windows
detection:
  selection:
    TargetFilename|contains: '\CriticalBreach.htm'
  condition: selection
falsepositives:
  - Unlikely (Filename is specific to the threat actor)
level: critical
---
title: Rhysida Ransomware - File Extension Encryption
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects rapid file renaming or creation of files with the .rhysida extension, a signature of the Rhysida encryption process.
references:
  - https://www.infosecurity-magazine.com/news/cookeville-medical-center-data/
author: Security Arsenal
date: 2025/10/22
tags:
  - attack.impact
  - attack.t1486
logsource:
  category: file_change
  product: windows
detection:
  selection:
    TargetFilename|endswith: '.rhysida'
  condition: selection
falsepositives:
  - Rare, potential false positive if legitimate software uses this extension
level: high

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for Rhysida Ransom Notes and Encrypted Files
// Look for the creation of the specific ransom note
DeviceFileEvents
| where FolderPath endswith @"\CriticalBreach.htm" or FileName == "CriticalBreach.htm"
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, ActionType
| union (
    DeviceFileEvents
    // Look for mass file renames to .rhysida extension
    | where FileName endswith ".rhysida"
    | summarize count() by DeviceName, bin(Timestamp, 1m)
    | where count_ > 10 // Heuristic for mass encryption
    | join kind=inner (DeviceFileEvents | where FileName endswith ".rhysida") on DeviceName, Timestamp
    | project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, FileName
)
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for Rhysida Ransom Note and Encrypted Artifacts
SELECT 
    OSPath, 
    Mtime, 
    Atime, 
    Size, 
    Mode 
FROM glob(globs="*/CriticalBreach.htm")
UNION
SELECT 
    OSPath, 
    Mtime, 
    Size 
FROM glob(globs="*/*.rhysida")
LIMIT 100

Remediation Script (PowerShell)

This script assists in identifying the scope of a Rhysida infection by locating the ransom notes and counting encrypted files on an endpoint. Note: In a live incident, isolation of the host takes precedence over running scripts.

PowerShell
<#
.SYNOPSIS
    Rhysida Ransomware Indicator Hunter
.DESCRIPTION
    Scans drives for 'CriticalBreach.htm' and files ending in .rhysida to assess impact.
#>

Write-Host "[+] Starting Rhysida Indicator Scan..." -ForegroundColor Cyan

$RansomNoteCount = 0
$EncryptedFileCount = 0
$Report = @()

# Scan for Ransom Notes
Write-Host "[*] Scanning for CriticalBreach.htm..." -ForegroundColor Yellow
$Notes = Get-ChildItem -Path C:\ -Recurse -Filter "CriticalBreach.htm" -ErrorAction SilentlyContinue
foreach ($Note in $Notes) {
    $RansomNoteCount++
    $Report += [PSCustomObject]@{
        Type      = "RansomNote"
        Path      = $Note.FullName
        Size      = "{0:N2} KB" -f ($Note.Length / 1KB)
        Timestamp = $Note.LastWriteTime
    }
}

# Scan for Encrypted Files (Limit to first 100 found per drive for speed)
Write-Host "[*] Sampling for .rhysida encrypted files..." -ForegroundColor Yellow
$Drives = Get-PSDrive -PSProvider FileSystem | Select-Object -ExpandProperty Root
foreach ($Drive in $Drives) {
    $Files = Get-ChildItem -Path $Drive -Recurse -Filter "*.rhysida" -ErrorAction SilentlyContinue | Select-Object -First 100
    foreach ($File in $Files) {
        $EncryptedFileCount++
        $Report += [PSCustomObject]@{
            Type      = "EncryptedFile"
            Path      = $File.FullName
            Size      = "{0:N2} KB" -f ($File.Length / 1KB)
            Timestamp = $File.LastWriteTime
        }
    }
}

# Output Results
Write-Host "\n[+] Scan Complete." -ForegroundColor Green
Write-Host "    Ransom Notes Found: $RansomNoteCount" -ForegroundColor Red
Write-Host "    Encrypted Files Found (Sampled): $EncryptedFileCount" -ForegroundColor Red

if ($Report.Count -gt 0) {
    $OutputPath = "$env:TEMP\Rhysida_Scan_$(Get-Date -Format 'yyyyMMddHHmmss').csv"
    $Report | Export-Csv -Path $OutputPath -NoTypeInformation
    Write-Host "[+] Report saved to: $OutputPath" -ForegroundColor Cyan
} else {
    Write-Host "[!] No Rhysida indicators found." -ForegroundColor Green
}

Remediation

Immediate Actions:

  1. Isolation: If active encryption is detected, immediately disconnect the host from the network (pull Ethernet/disable Wi-Fi) to prevent lateral movement to other clinical systems.
  2. Preservation: Capture a full memory image of the affected endpoint(s) before rebooting or powering off to retain cryptographic keys in memory if possible.

Strategic Hardening:

  1. Patch External Perimeters: Given Rhysida's history, ensure all VPNs (Citrix, Fortinet, Pulse Secure) and firewall interfaces are patched against the latest critical CVEs.
  2. Disable Unused RDP: Close RDP ports (3389) from the internet. Require VPN for all remote access.
  3. MFA Enforcement: Enforce phishing-resistant MFA (FIDO2) for all remote access and administrative accounts.
  4. Offline Backups: Verify that backups are immutable and offline. Rhysida often attempts to delete or encrypt backups.

Official Resources:

  • CISA KEV Catalog: Review for active exploitation of VPN vulnerabilities.
  • HHS Health Sector Cybersecurity Coordination Center (HC3): Review specific advisories for Rhysida.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub

incident-responseransomwarebreach-responseforensicsdfirrhysidahealthcarephi-breach

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action