Skip to main content
Rhysida Ransomware: Healthcare Network Intrusion operation cover
COMING SOONAdvancedPRO

Rhysida Ransomware: Healthcare Network Intrusion

A Rhysida ransomware affiliate phishes a healthcare staff member's VPN credentials and exploits a stale MFA exemption to breach a regional medical center. Using a Cobalt Strike beacon and built-in Windows tools, the attacker extracts all domain credentials, exfiltrates patient records for double extortion, and deploys the encryptor estate-wide. Trace the kill chain from the first failed VPN login to the final ransom note.

1h 30m
7 tasks
150 points
Pro

Launches today

Jul 3, 2026

Friday, July 3, 2026 at 9:00 AM

View Pro plans

Pro unlocks this operation at launch.

Training Tools

SIEMXDRFirewall

What you'll investigate

7 objectives unlock when this operation goes live.

1Establish the entry point
2Attribute the first successful tunnel
3Find the credential theft method
4Locate the command-and-control channel
5Track the data out
6Name the privileged account used post-DC
7Classify the pre-encryption disruption

Be first when it launches

Create your account and grab Pro before launch. The moment this operation goes live on Jul 3, 2026, you can jump straight in.

Get Started Free

No credit card required — free forever