Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Rhysida ransomware gang. Show all posts
Rhysida ransomware gang
British Library Cyberattack Data Breach Rhysida Rhysida ransomware gang

Rhysida: The New Ransomware Group Behind British Library Cyberattack


This week, ransomware group – Rhysida – claimed responsibility for the attack on the British Library, that was witnessed last month, where the library’s personal data was compromised and later sold on online forums. 

While the name of the threat actors is indeed new to the list, the tactic however remains conventional. Ransomware gangs use malware to infect computers within an organization, making the contents unreadable. They then demand payment, usually in Bitcoin, to unlock the files.

However, in recent years, ‘double extortion’ is a tactic in trend, in which a majority of ransomware groups steal the data simultaneously and threaten to leak it online.

This week, the threat actor in question – Rhysida uploaded low-quality pictures of the personal data that was obtained during the attack to the internet. On her leak site, Rhysida threatened to sell the stolen information for a starting price of 20 bitcoin, or almost £590,000.

According to Rafe Pilling, director of threat research at cybersecurity firm Secureworks, this is “a classic example of a double extortion ransomware attack and they are using the threat of leaking or selling stolen data as leverage to extort a payment.”

While the British Library is the current high-profile victim of the ransomware gang, Rhysida has also notably attacked government institutions in Portugal, Chile and Kuwait. In August, the group also claimed responsibility for attacking the US hospital group Prospect Medical Holdings.

In regards to these emerging cases, the US government agencies have released an advisory note on Rhysida, stating that the “threat actors leveraging Rhysida ransomware are known to impact “'targets of opportunity,' including victims in the education, healthcare, manufacturing, information technology, and government sectors.”

The advisory noted that the Rhysida gang has been running a “ransomware as a service” (Raas) operation, in which it deploys malware to threat actors and shares any ransom proceeds. 

Rhysida Ransomware Group

Although Rhysida’s name is relatively new to the public, according to US cybersecurity firm Secureworks, the group first came to light in 2021. Secureworks refers to the group as Gold Victor, noting that it runs a ransomware scheme called Vice Society. 

While the Rhysida gang's precise identity is unknown, Pilling assumes that it adheres to a pattern of comparable operators who are typically from Russia or the Commonwealth of Independent States, which is made up of Kazakhstan, Belarus, and Russia.

“I would assume that they are probably Russian-speaking but we don’t have any hard evidence,” said Pilling.

The US agencies claim that groups using the Rhysida ransomware have gained access to systems through virtual private networks (VPNs), generally used by staff to access their employers' systems from distant locations. They have also used the well-known tactic of phishing attacks, in which victims are duped—typically through email — into clicking on a link that downloads malicious software or divulges personal information like passwords.

After gaining access to the systems, the gang continues to lurk in the system for a while, in order to evade detection. According to Securework, when compared to that of 2022, this dwell time has now been significantly reduced to less than 24 hours for cybercrime groups. 

The US agencies further note that, like other members of the criminal hacking community, Rhysida attackers frequently seek cryptocurrencies as payment for their extortion. Ransomware gangs are drawn to digital assets like Bitcoin because they are decentralized, meaning they operate outside of traditional financial systems and avoid routine checks. Additionally, transactions can be hidden, making them more challenging to follow.  

Read more »
Stolen Data
British Library Data Breach ransomware attacks Ransomware Gangs Rhysida Rhysida ransomware gang Stolen Data

British Library Staff Passports Leaked Online, Hackers Demand £600,000 Ransom


In a ransomware attack, the British Library staff passports have been leaked online, where the threat actors are demanding a ransom of £600,000 (to be paid in Bitcoin) in order to retrieve the stolen documents. 

The responsibility of the attack has been claimed by ransomware gang Rhysida. The group has listed the library as their victim over its darknet forum, where it has leaked the low resolution snippets of the stolen information. The gang is offering to auction the further information for 20 Bitcoin, or about £600,000, to the highest bidder.

As a result of the attacks, the library’s operations have been disrupted for weeks. The stolen data includes images of passport photos and HMRC employment records. 

In the darknet website, the listing for the British Library reads, “With just seven days on the clock, seize the opportunity to bid on exclusive, unique and impressive data. Open your wallets and be ready to buy exclusive data.”

The aforementioned listing appeared on the website on Monday, where the group has demanded the ransom to be paid till November 27.

In regards to this, Emisoft’s threat analyst, Brett Callow says that the data “auction” was effectively a “continuation of the extortion attempt” by the gang.

British Library Cyber Attack

The cyberattack on the British Library started in late October, where the attackers stole large chunks of the library’s website. 

Staff at the archive's St Pancras location have been compelled by the disruption to disable the public Wi-Fi and only accept cash payments for some transactions.

Staff at the archive's St Pancras location have been compelled by the disruption to disable the public Wi-Fi and only accept cash payments for some transactions.

The British Library released the following statement on Monday: "We are aware that some data has been exposed, after confirmation last week that this was a ransomware attack. It looks like these are from our own HR records.”

“We have no evidence that data of our users has been compromised.”

The National Cyber Security Centre (NCSC), which is affiliated with GCHQ, and the Metropolitan Police are collaborating with the library to strengthen its IT infrastructure and carry out a forensic examination.

Sir Roly Keating, chief executive of the British Library, said: “We are immensely grateful to our many users and partners who have shown such patience and support as we work to analyse the impact of this criminal attack and identify what we need to do to restore our online systems in a safe and sustainable manner.”  

Read more »
US Department of Health and Human Services
Cyber Attacks Medical Data Personal Data Breach Prospect Medical Holdings ransomware attacks Rhysida Rhysida ransomware gang US Department of Health and Human Services

Rhysida Ransomware Group: Social Security Numbers, Passport Data Compromised in Recent Hospital Attack


On Thursday, the Rhysida ransomware gang confirmed to have been behind the recent cyberattack on Prospect Medical Holdings, as reported by a dark web listing reviewed by Axios.

Apparently, the ransomware gang stole more than 500,000 Social Security numbers and copies of the company’s employees’ driving licenses and passports. Also, other legal and financial documents are said to be compromised.

Prospect Medical Holdings—currently operating 16 hospitals spread across four U.S. states—confirms that the ransomware attack was launched earlier this month, because of which they have been facing issues in their online operations.

Moreover, several elective surgeries, outpatient appointments, blood drives and other services are put to hold owing to the attack. 

According to a Prospect spokesperson, the company was unable to comment on the suspected data leak due to "the sensitivity of the incident and law enforcement involvement."

"Prospect Medical continues to work around-the-clock to recover critical systems and restore their integrity[…]We are making significant progress. Some operational systems have been fully restored and we are in the process of bringing others online," the spokesperson said. 

Rhysida Ransomware Group 

Rhysida confirmed Prospect as one of its victims on its dark web site this Thursday, stating that it had taken 1.3 terabytes of SQL data and 1 terabyte of "unique" files.

Certainly, if the ransom demands are not fulfilled, the ransomware group has threatened the firm to expose their victims’ names to their site. 

Rhysida, in a listing, says that it will auction off "more than 500,000 SNNs, passports of their clients and employees, driver's licenses, patient files (profile, medical history), financial and legal documents!!!"

The auction apparently ends in nine days, with 50 Bitcoins as ransom, per the listing.

Rhysida first came to light in May, however the government officials and cybersecurity professionals claim to have already known about the group, following instances of the group targeting critical infrastructure organizations in recent months.

Also, the Department of Health and Human Services (HHS) published an advisory in regards to the group, since Rhysida’s prime targets involved organizations in the health and public health sector. They further noted that Rhysida’s victims also involved firms in the education and manufacturing sectors.

HHS has advised organizations to patch known security flaws present in their systems and install data back-ups in case they are taken offline. Moreover, they recommended phishing awareness training programs for employees.  

Read more »
Subscribe to: Posts (Atom)