Rhysida (hacker group)

Last updated

Rhysida is a ransomware group that encrypts data on victims' computer systems and threatens to make it publicly available unless a ransom is paid. [1] The group uses eponymous ransomware-as-a-service techniques, targets large organisations rather than making random attacks on individuals, and demands large sums of money to restore data. [2] The group perpetrated the notable 2023 British Library cyberattack [1] and Insomniac Games data dump. [3] It has targeted many organisations, including some in the US healthcare sector, and the Chilean army. [4]

Contents

In November 2023, the US agencies Cybersecurity and Infrastructure Security Agency (CISA), FBI and MS-ISAC published an alert about the Rhysida ransomware and the actors behind it, [5] with information about the techniques the ransomware uses to infiltrate targets and its mode of operation. [6]

The group takes its name from the genus of centipedes, and uses a centipede logo. [4]

Attacks

Ransomware as a service

The US CISA report states: [6]

Threat actors leveraging Rhysida ransomware are known to impact “targets of opportunity,” including victims in the education, healthcare, manufacturing, information technology, and government sectors. Open source reporting details similarities between Vice Society (DEV-0832) activity and the actors observed deploying Rhysida ransomware. Additionally, open source reporting has confirmed observed instances of Rhysida actors operating in a ransomware-as-a-service (RaaS) capacity, where ransomware tools and infrastructure are leased out in a profit-sharing model. Any ransoms paid are then split between the group and the affiliates.

Related Research Articles

A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. A supply chain attack can happen in software or hardware. Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components. Symantec's 2019 Internet Security Threat Report states that supply chain attacks increased by 78 percent in 2018.

<span class="mw-page-title-main">Sandworm (hacker group)</span> Russian hacker group

Sandworm is an advanced persistent threat operated by Military Unit 74455, a cyberwarfare unit of the GRU, Russia's military intelligence service. Other names for the group, given by cybersecurity researchers, include APT44, Telebots, Voodoo Bear, IRIDIUM, Seashell Blizzard, and Iron Viking.

Ryuk is a type of ransomware known for targeting large, public-entity Microsoft Windows cybersystems. It typically encrypts data on an infected system, rendering the data inaccessible until a ransom is paid in untraceable bitcoin. Ryuk is believed to be used by two or more criminal groups, most likely Russian or Ukrainian, who target organizations rather than individual consumers.

A global wave of cyberattacks and data breaches began in January 2021 after four zero-day exploits were discovered in on-premises Microsoft Exchange Servers, giving attackers full access to user emails and passwords on affected servers, administrator privileges on the server, and access to connected devices on the same network. Attackers typically install a backdoor that allows the attacker full access to impacted servers even if the server is later updated to no longer be vulnerable to the original exploits. As of 9 March 2021, it was estimated that 250,000 servers fell victim to the attacks, including servers belonging to around 30,000 organizations in the United States, 7,000 servers in the United Kingdom, as well as the European Banking Authority, the Norwegian Parliament, and Chile's Commission for the Financial Market (CMF).

On May 7, 2021, Colonial Pipeline, an American oil pipeline system that originates in Houston, Texas, and carries gasoline and jet fuel mainly to the Southeastern United States, suffered a ransomware cyberattack that afflicted computerized equipment managing the pipeline. The Colonial Pipeline Company halted all pipeline operations to contain the attack. Overseen by the FBI, the company paid the amount that was asked by the hacker group within several hours; upon receipt of the ransom, an IT tool was provided to the Colonial Pipeline Company by DarkSide to restore the system. However, the tool required a very long processing time to restore the system to a working state.

DarkSide is a cybercriminal hacking group, believed to be based in Russia, that targets victims using ransomware and extortion; it is believed to be behind the Colonial Pipeline cyberattack. The group provides ransomware as a service.

<span class="mw-page-title-main">Health Service Executive ransomware attack</span> 2021 cyber attack on the Health Service Executive in Ireland

On 14 May 2021, the Health Service Executive (HSE) of Ireland suffered a major ransomware cyberattack which caused all of its IT systems nationwide to be shut down.

Conti is malware developed and first used by the Russia-based hacking group "Wizard Spider" in December, 2019. It has since become a full-fledged ransomware-as-a-service (RaaS) operation used by numerous threat actor groups to conduct ransomware attacks.

<i>Marvels Wolverine</i> Upcoming superhero video game

Marvel's Wolverine is an upcoming video game developed by Insomniac Games and published by Sony Interactive Entertainment. Based on the Marvel Comics character Wolverine, it is inspired by the long-running comic book mythology, while also deriving from various adaptations in other media. Marvel's Wolverine is a standalone entry in the Marvel's Spider-Man series, telling an original, self-contained story that shares continuity with Insomniac Games' other Marvel titles.

Operational collaboration is a cyber resilience framework that leverages public-private partnerships to reduce the risk of cyber threats and the impact of cyberattacks on United States cyberspace. This operational collaboration framework for cyber is similar to the Federal Emergency Management Agency (FEMA)'s National Preparedness System which is used to coordinate responses to natural disasters, terrorism, chemical and biological events in the physical world.

<span class="mw-page-title-main">IT Army of Ukraine</span> Ukrainian cyberwarfare volunteer group

The IT Army of Ukraine is a volunteer cyberwarfare organisation created at the end of February 2022 to fight against digital intrusion of Ukrainian information and cyberspace after the beginning of the Russian invasion of Ukraine on February 24, 2022. The group also conducts offensive cyberwarfare operations, and Chief of Head of State Special Communications Service of Ukraine Victor Zhora said its enlisted hackers would only attack military targets.

Vice Society is a hacking group known for ransomware extortion attacks on healthcare, educational and manufacturing organizations. The group emerged in the summer of 2021 and is believed to be Russian-speaking. Vice Society uses double extorsion and does not operate a ransomware as a service model.

A wave of cyberattacks and data breaches began in June 2023 after a vulnerability was discovered in MOVEit, a managed file transfer software. Thousands of organisations and almost 100 million individuals were affected.

Hive was a ransomware as a service (RaaS) operation carried out by the eponymous cybercrime organization between June 2021 and January 2023. The group's purpose was to attack mainly public institutions to subsequently demand ransom for release of hijacked data.

Clop is a cybercriminal organization known for its multilevel extortion techniques and global malware distribution. It has extorted more than $500 million in ransom payments, targeting major organizations worldwide. Clop gained notoriety in 2019 and has since conducted high-profile attacks, using large-scale phishing campaigns and sophisticated malware to infiltrate networks and demand ransom, threatening to expose data if demands are not met.

<span class="mw-page-title-main">LockBit</span> Criminal hacking organization

LockBit is a cybercriminal group proposing ransomware as a service (RaaS). Software developed by the group enables malicious actors who are willing to pay for using it to carry out attacks in two tactics where they not only encrypt the victim's data and demand payment of a ransom, but also threaten to leak it publicly if their demands are not met.

Royal is a cybercriminal ransomware organization known for its aggressive targeting, its high ransom demands, and its use of double extortion. Royal does not use affiliates.

BlackCat, also known as ALPHV and Noberus, is a ransomware family written in Rust. It made its first appearance in November 2021. By extension, it is also the name of the threat actor(s) who exploit it.

The U.S. Ransomware Task Force (RTF), also known as the Joint Ransomware Task Force, is an interagency body that leads the American government's efforts to address the threats of ransomware attacks. It is jointly headed by the Department of Homeland Security’s cyber arm, the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation.

<span class="mw-page-title-main">British Library cyberattack</span> Ransomware attack on major UK library

In October 2023, Rhysida, a hacker group, attacked the online information systems of the British Library. They demanded a ransom of 20 bitcoin, at the time around £596,000, to restore services and return the stolen data. When the British Library did not acquiesce to the attempt, Rhysida publicly released approximately 600GB of leaked material online. It has been described as "one of the worst cyber incidents in British history".

References

  1. 1 2 Milmo, Dan (2023-11-24). "Rhysida, the new ransomware gang behind British Library cyber-attack". The Guardian. Retrieved 2023-12-23.
  2. Hollingworth, David (19 December 2023). "Snikt! Rhysida dumps more than a terabyte of Insomniac Games' internal data". www.cyberdaily.au. Retrieved 2023-12-23.
  3. 1 2 Acres, Tom (2023-12-20). "Wolverine: What we know about the cyberattack that leaked one of PlayStation's most anticipated games". Sky News.
  4. 1 2 3 Cluley, Graham (10 August 2023). "Rhysida ransomware – what you need to know". Tripwire.
  5. "CISA, FBI, and MS-ISAC Release Advisory on Rhysida Ransomware". Cybersecurity and Infrastructure Security Agency (CISA). 15 November 2023. Retrieved 2023-12-23.
  6. 1 2 "#StopRansomware: Rhysida Ransomware". Cybersecurity and Infrastructure Security Agency (CISA). 15 November 2023. Alert Code AA23-319A. Retrieved 2023-12-23.
  7. "Insomniac: PlayStation studio 'angered' by ransomware hack". BBC News. 22 December 2023. Retrieved 2023-12-24.
  8. "Rhysida Ransomware Gang Strikes Again, Targets Chilean Army And Martinique". The Cyber Express. 12 June 2023. Retrieved 2023-12-25.
  9. Bush, Bill. "Hackers release reams of stolen Columbus data on dark web". The Columbus Dispatch. Retrieved 2024-08-10.
  10. "Sea-Tac cyberattack caused by global ransomware gang, Port says". The Seattle Times. 13 September 2024. Retrieved 2024-09-15.
  11. "Hackers appear to sell data stolen from Rutherford County Schools". WKRN News 2. 11 December 2024. Retrieved 2024-12-11.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.