Rhysida Ransomware: Recent U.S. Breaches And Mitigation

Rhysida ransomware is having a very active 2025. U.S. organizations across healthcare, finance, and manufacturing are showing up on its ransomware leak site at a steady pace. The pattern is consistent: steal data first, encrypt later, then threaten to publish if the victim won’t pay.

This double extortion ransomware model keeps working for them because too many environments still have soft spots in patching, identity controls, and backup resilience. Below is what we know from the latest incidents, plus a practical, CISA aligned mitigation blueprint for U.S. security teams.

On July 8, 2025, Florida Hand Center, serving Punta Gorda, Port Charlotte, and Fort Myers, became the latest U.S. healthcare victim to face Rhysida’s data exfiltration campaign. The group posted the clinic on its ransomware leak site and claimed it had already stolen sensitive files.

Reporting indicates the leaked trove includes medical images, insurance forms, and identity documents like driver’s licenses. Rhysida ransomware also set a tight seven-day window before full publication, a pressure tactic it uses frequently to force quick payment decisions.

For healthcare organizations, this is worst case exposure: protected health information (PHI) and personal identifiers. 

Even if systems are restored, the stolen data creates long-tail risk for patients and staff, including insurance fraud, identity theft, and future targeted phishing. With HIPAA penalties and state breach laws in play, the Florida Hand Center incident shows us that ransomware prevention must be treated as patient-safety infrastructure, and not just IT hygiene.

Based on everything we know, Florida Hand Center wasn’t an outlier. Rhysida has kept widening its U.S. target list in 2025:

Best Collateral (March 2025)

A U.S. financial services firm disclosed an attack on March 5–6, 2025. Open reporting suggests Rhysida leveraged unpatched vulnerabilities, deployed Cobalt Strike, then moved into its typical double extortion flow.

MDB (April 2025)

Another U.S. organization was added to Rhysida ransomware’s leak site after a breach discovered around April 26–28, 2025. The group claimed stolen corporate data and used the same quick-deadline intimidation play.

Trans-Tex (Aug/Sep 2025)

A printing and manufacturing company in Cranston, Rhode Island, appeared on the ransomware leak site with Rhysida claiming to have exfiltrated sensitive operational and commercial files.

The CISA #StopRansomware advisory on Rhysida was updated on April 30, 2025, adding fresh indicators of compromise (IOCs) and removing stale ones. The advisory states Rhysida remains a ransomware-as-a-service (RaaS) operation that hits targets of opportunity across:

• healthcare and public health
• education
• manufacturing
• information technology
• government and public services

Real-world 2025 reporting backs that up. Rhysida has continued hammering U.S. healthcare organizations, including earlier breach disclosures tied to Sunflower Medical Group and Community Care Alliance, where attackers stole combinations of SSNs, driver’s licenses, medical data, and internal documents.

For U.S. leaders, the risks stack fast:

• Operational disruption (downtime, rescheduled care, halted production)
• Data leak exposure through the ransomware leak site
• Compliance issues under HIPAA, state data breach laws, and sector regulations
• Litigation and reputational damage that often outlasts the technical recovery

Rhysida’s core playbook is stable, but its initial access methods are changing in 2025.

1. Double extortion first, encryption second:
   They routinely exfiltrate data before detonation, then threaten public release if negotiations fail. That includes showcasing samples on their leak site to prove value.
2. Cleaner initial access tooling:
   A big trend is the use of CleanUpLoader malware (also known as OysterLoader/Broomstick) delivered through malvertising and fake software downloads. Researchers have tied these campaigns directly to Rhysida operators.
3.  Trusted-looking lures:
   Recent campaigns abuse fake ads for Microsoft Teams and tools like PuTTY, often wrapped in signed code to look legitimate. That helps CleanUpLoader malware slip past lighter endpoint controls.
4. Classic post-access tradecraft:
   Once inside, Rhysida ransomware affiliates commonly use:

• Cobalt Strike for command-and-control and lateral movement.
• Compromised VPN credentials, often where MFA is missing.
• Living-off-the-land tools like PowerShell and RDP.

The primary takeaway is that Rhysida does not need exotic zero-days to succeed. They win by chaining everyday vulnerabilities together.

The business cost is now predictable:

1. Healthcare – Florida Hand Center’s leak of PHI and identity data threatens patient trust, triggers HIPAA reporting obligations, and risks class action claims if impact grows.
2. Finance – Best Collateral must manage regulatory scrutiny, plus the reputational damage of client data appearing on a leak site.
3. Manufacturing/Print – Trans-Tex and MDB face potential IP exposure and supply-chain disruption. For industrial organizations, even short outages can mean missed contracts and downstream partner impact.

Even when encryption is contained, the data leak often becomes the real crisis. Once stolen, it can be resold, re-leaked, or used for further intrusions.

Here’s the practical playbook that maps to current Rhysida TTPs and CISA guidance:

1. Hunt for known Rhysida access paths

• Pull the April 30, 2025, CISA IOC refresh and update detection rules now.
• Monitor for CleanUpLoader/OysterLoader malware behaviors and related C2 infrastructure.

2. Reduce initial access risk

• Patch external facing systems fast. Prioritize VPNs, web apps, and remote management tools.
• Enforce MFA everywhere, especially for VPN and admin consoles. CISA infers credential-based access as a Rhysida staple.
• Block malvertising lures with DNS filtering and browser security controls.

3. Limit blast radius

• Deploy or tune EDR/endpoint security to detect Cobalt Strike, suspicious PowerShell, and credential dumping.
• Segment networks so workstation compromise can’t jump to servers or backups.
• Use least-privilege admin models and rotate privileged credentials.

4. Make extortion fail

• Maintain offline/immutable backups. Test restore speed, not just backup success.
• Add backup access controls so ransomware can’t encrypt backups too.
• Rehearse a breach response plan with legal and comms teams to meet HIPAA and state notification deadlines.

5. Train for the real lure

• Run phishing and fake download drills. Teach staff to avoid search-ad installers and to use verified vendor links.
• Lock down application installs to approved sources only.

Also Read: Data Exfiltration Detection – Best Practices and Tools.

Rhysida ransomware has moved from a healthcare-heavy campaign to a broader U.S. cross-sector run in 2025. Its combination of CleanUpLoader initial access, Cobalt Strike post-exploitation, and aggressive leak site pressure is proving efficient.

If your organization hasn’t appeared on Rhysida’s leak page yet, don’t assume your safe. Treat this as a live, opportunistic RaaS threat and assume the pre-encryption window is where you either win or lose.

This is also why stopping exfiltration is now non-negotiable, and where BlackFog ADX fits naturally as a final layer, detecting and blocking unauthorized data movement in real time so Rhysida can’t gain the double extortion leverage it relies on.

Anti Data Exfiltration Demo Video | BlackFog.

Additional Reading

Healthcare Ransomware Attacks: How to Prevent and Respond Effectively.