Exclusive: eSentire Confirms Rhysida Ransomware Victims

Written by

The Rhysida Ransomware Group has escalated its attacks, targeting hospitals, power plants and schools across the UK, Europe and the Middle East.

In less than nine months since emerging in May 2023, the Rhysida group claims to have victimized 77 companies and public institutions, leaving a trail of destruction and disruption. Investigating the group’s activities, eSentire’s security research team, the Threat Response Unit (TRU), has validated the authenticity of the victims listed on Rhysida’s dark web leak site.

The recent targets of Rhysida’s attacks include critical infrastructure such as hospitals, schools, power plants and prestigious public institutions. Operating as a Ransomware-as-a-Service (RaaS) provider, Rhysida leases its tools and infrastructure to affiliates who share a portion of the ransom collected from victims.

Vice Society Connection

In a report shared exclusively with Infosecurity and published today, TRU said it identified striking similarities between Rhysida’s tactics, techniques and procedures (TTPs) and those of the Vice Society Ransomware Group, confirming earlier findings by Check Point Software.

Read more on those findings: Rhysida Ransomware Analysis Reveals Vice Society Connection

According to eSentire, Vice Society was notably active until May 2023, coinciding with the emergence of Rhysida. Vice Society had also targeted organizations in the education and healthcare sectors, reminiscent of Rhysida’s recent attacks.

One significant attack attributed to Vice Society was the crippling assault on the Los Angeles Unified School District (LAUSD) in September 2022. 

“The threat actors threatened to publish 500GB of data that they had stolen from the school district on their underground leak site if the LAUSD didn’t pay the ransom,” eSentire wrote.

“The school officials refused to pay the hackers, so they released the stolen data, which included Social Security numbers, financial information, health records and legal records belonging to the students.”

Impact and Modus Operandi

Rhysida employs double extortion tactics, demanding hefty ransoms from victims to regain access to their data and avoid the public exposure of stolen information. The recent attacks on institutions such as the British Library and King Edward VII’s Hospital have demonstrated the group’s brutality in targeting sensitive data, including personal information of employees and patients.

“Rhysida threat actors not only encrypted many of the library’s systems, they also stole 600 gigabytes of information from the library, including personal information relating to some of the library’s employees,” eSentire wrote.

“On or around November 20, the Rhysida threat actors began their seven-day auction, giving buyers a deadline for bids ending just before 0800 UTC on November 27. Their starting bid for the information was 20 Bitcoin, equaling approximately £590,000 [roughly $744,000].”

Mitigating Future Attacks

“It is very apparent that when the Rhysida threat actors break into an organization, they know exactly what information to go after,” said Keegan Keplinger, senior threat researcher with eSentire’s TRU. 

“They target some of the most valuable, sensitive data a company or public entity can possess. This is evident by the passports and other documents containing personally identifiable information (PII) they steal.”

In light of the escalating threat posed by Rhysida and similar ransomware groups, eSentire emphasizes the importance of robust security measures. 

Recommendations from eSentire’s latest report include regular backups of critical data, multi-factor authentication, network segmentation and user-awareness training to prevent phishing attacks.

What’s hot on Infosecurity Magazine?