While the name of the threat actors is indeed new to the list, the tactic however remains conventional. Ransomware gangs use malware to infect computers within an organization, making the contents unreadable. They then demand payment, usually in Bitcoin, to unlock the files.
However, in recent years, ‘double extortion’ is a tactic in trend, in which a majority of ransomware groups steal the data simultaneously and threaten to leak it online.
This week, the threat actor in question – Rhysida uploaded low-quality pictures of the personal data that was obtained during the attack to the internet. On her leak site, Rhysida threatened to sell the stolen information for a starting price of 20 bitcoin, or almost £590,000.
According to Rafe Pilling, director of threat research at cybersecurity firm Secureworks, this is “a classic example of a double extortion ransomware attack and they are using the threat of leaking or selling stolen data as leverage to extort a payment.”
While the British Library is the current high-profile victim of the ransomware gang, Rhysida has also notably attacked government institutions in Portugal, Chile and Kuwait. In August, the group also claimed responsibility for attacking the US hospital group Prospect Medical Holdings.
In regards to these emerging cases, the US government agencies have released an advisory note on Rhysida, stating that the “threat actors leveraging Rhysida ransomware are known to impact “'targets of opportunity,' including victims in the education, healthcare, manufacturing, information technology, and government sectors.”
The advisory noted that the Rhysida gang has been running a “ransomware as a service” (Raas) operation, in which it deploys malware to threat actors and shares any ransom proceeds.
Rhysida Ransomware Group
Although Rhysida’s name is relatively new to the public, according to US cybersecurity firm Secureworks, the group first came to light in 2021. Secureworks refers to the group as Gold Victor, noting that it runs a ransomware scheme called Vice Society.
While the Rhysida gang's precise identity is unknown, Pilling assumes that it adheres to a pattern of comparable operators who are typically from Russia or the Commonwealth of Independent States, which is made up of Kazakhstan, Belarus, and Russia.
“I would assume that they are probably Russian-speaking but we don’t have any hard evidence,” said Pilling.
The US agencies claim that groups using the Rhysida ransomware have gained access to systems through virtual private networks (VPNs), generally used by staff to access their employers' systems from distant locations. They have also used the well-known tactic of phishing attacks, in which victims are duped—typically through email — into clicking on a link that downloads malicious software or divulges personal information like passwords.
After gaining access to the systems, the gang continues to lurk in the system for a while, in order to evade detection. According to Securework, when compared to that of 2022, this dwell time has now been significantly reduced to less than 24 hours for cybercrime groups.
The US agencies further note that, like other members of the criminal hacking community, Rhysida attackers frequently seek cryptocurrencies as payment for their extortion. Ransomware gangs are drawn to digital assets like Bitcoin because they are decentralized, meaning they operate outside of traditional financial systems and avoid routine checks. Additionally, transactions can be hidden, making them more challenging to follow.