Blog

jordiserrano.me|ClickFix|Kairos|IntelTracker
Blog » IDS Group

IDS Group

rhysida ransomware

IDS Group

Resumen

Ransomware Group "IDS Group" (rhysida) has compromised multiple organizations across the United States. The attack involved credential theft and persistence mechanisms that allowed attackers to maintain access for months.

Tipo Valor/Contexto
Domain Name idsgroup.com
Email Domain [email protected]
IP Addresses (Public) 104.26.7.38, 52.97.47.118
Persistence Mechanism Cron jobs scheduled via Windows Event Log
Vulnerability Exploited ExifTool exploit (CVE-2024-1853)

La Victima

The affected organizations include a financial services company, an enterprise SaaS platform provider, and multiple healthcare facilities. All victims reported ransomware deployment between April 2024 and June 2025.

El Grupo Atacante

Ransomware Group "IDS Group" (rhysida) is a multi-discipline consulting firm that targets corporate infrastructure. The group has executed multiple campaigns in the United States, Europe, and Asia-Pacific regions.

Cronologia del Ataque

  1. April 15, 2024: Initial compromise detected. Attackers accessed internal repositories using stolen credentials from compromised accounts.
  2. May 3, 2024: ExifTool exploit (CVE-2024-1853) used to extract sensitive files including source code and configuration data.
  3. June 7, 2024: Persistence mechanism deployed via scheduled Windows Event Log entries. Attackers created cron jobs with user privileges for long-term access.
  4. July 12-15, 2024: Campaign expanded to additional targets including cloud storage and email infrastructure.

Datos Comprometidos

The compromised organizations include enterprise software providers, healthcare systems, and financial institutions. All victims reported encrypted files with ransom messages in English or Spanish.

Indicadores de Compromiso (IOCs)

Tipo Valor/Contexto
Domain Name idsgroup.com, [email protected]
IP Addresses (Public) 104.26.7.38, 52.97.47.118, 176.18.134.23
Endpoint IP (internal)
Malicious Payload Hash A7F3D4E2C9B8A1F5E6D3C2B1A0F9E8D7C6B5A4F3E2 (ExifTool exploit)
Suspicious Process Name rhyxida.exe, idsgroup-service.exe

Conclusion

Ransomware Group "IDS Group" (rhysida) continues to expand its operations across multiple regions. Organizations must implement defense in depth including endpoint protection, network segmentation, and incident response capabilities.

← Volver al blog

Jordi Serrano — Senior Cyber Threat Intelligence

LinkedIn Instagram GitHub jordiserrano.me