While the name of the threat actors is indeed new to the list, the tactic however remains conventional. Ransomware gangs use malware to infect computers within an organization, making the contents unreadable. They then demand payment, usually in Bitcoin, to unlock the files.
However, in recent years, ‘double extortion’ is a tactic in trend, in which a majority of ransomware groups steal the data simultaneously and threaten to leak it online.
This week, the threat actor in question – Rhysida uploaded low-quality pictures of the personal data that was obtained during the attack to the internet. On her leak site, Rhysida threatened to sell the stolen information for a starting price of 20 bitcoin, or almost £590,000.
According to Rafe Pilling, director of threat research at cybersecurity firm Secureworks, this is “a classic example of a double extortion ransomware attack and they are using the threat of leaking or selling stolen data as leverage to extort a payment.”
While the British Library is the current high-profile victim of the ransomware gang, Rhysida has also notably attacked government institutions in Portugal, Chile and Kuwait. In August, the group also claimed responsibility for attacking the US hospital group Prospect Medical Holdings.
In regards to these emerging cases, the US government agencies have released an advisory note on Rhysida, stating that the “threat actors leveraging Rhysida ransomware are known to impact “'targets of opportunity,' including victims in the education, healthcare, manufacturing, information technology, and government sectors.”
The advisory noted that the Rhysida gang has been running a “ransomware as a service” (Raas) operation, in which it deploys malware to threat actors and shares any ransom proceeds.
Although Rhysida’s name is relatively new to the public, according to US cybersecurity firm Secureworks, the group first came to light in 2021. Secureworks refers to the group as Gold Victor, noting that it runs a ransomware scheme called Vice Society.
While the Rhysida gang's precise identity is unknown, Pilling assumes that it adheres to a pattern of comparable operators who are typically from Russia or the Commonwealth of Independent States, which is made up of Kazakhstan, Belarus, and Russia.
“I would assume that they are probably Russian-speaking but we don’t have any hard evidence,” said Pilling.
The US agencies claim that groups using the Rhysida ransomware have gained access to systems through virtual private networks (VPNs), generally used by staff to access their employers' systems from distant locations. They have also used the well-known tactic of phishing attacks, in which victims are duped—typically through email — into clicking on a link that downloads malicious software or divulges personal information like passwords.
After gaining access to the systems, the gang continues to lurk in the system for a while, in order to evade detection. According to Securework, when compared to that of 2022, this dwell time has now been significantly reduced to less than 24 hours for cybercrime groups.
The US agencies further note that, like other members of the criminal hacking community, Rhysida attackers frequently seek cryptocurrencies as payment for their extortion. Ransomware gangs are drawn to digital assets like Bitcoin because they are decentralized, meaning they operate outside of traditional financial systems and avoid routine checks. Additionally, transactions can be hidden, making them more challenging to follow.
The responsibility of the attack has been claimed by ransomware gang Rhysida. The group has listed the library as their victim over its darknet forum, where it has leaked the low resolution snippets of the stolen information. The gang is offering to auction the further information for 20 Bitcoin, or about £600,000, to the highest bidder.
As a result of the attacks, the library’s operations have been disrupted for weeks. The stolen data includes images of passport photos and HMRC employment records.
In the darknet website, the listing for the British Library reads, “With just seven days on the clock, seize the opportunity to bid on exclusive, unique and impressive data. Open your wallets and be ready to buy exclusive data.”
The aforementioned listing appeared on the website on Monday, where the group has demanded the ransom to be paid till November 27.
In regards to this, Emisoft’s threat analyst, Brett Callow says that the data “auction” was effectively a “continuation of the extortion attempt” by the gang.
The cyberattack on the British Library started in late October, where the attackers stole large chunks of the library’s website.
Staff at the archive's St Pancras location have been compelled by the disruption to disable the public Wi-Fi and only accept cash payments for some transactions.
Staff at the archive's St Pancras location have been compelled by the disruption to disable the public Wi-Fi and only accept cash payments for some transactions.
The British Library released the following statement on Monday: "We are aware that some data has been exposed, after confirmation last week that this was a ransomware attack. It looks like these are from our own HR records.”
“We have no evidence that data of our users has been compromised.”
The National Cyber Security Centre (NCSC), which is affiliated with GCHQ, and the Metropolitan Police are collaborating with the library to strengthen its IT infrastructure and carry out a forensic examination.
Sir Roly Keating, chief executive of the British Library, said: “We are immensely grateful to our many users and partners who have shown such patience and support as we work to analyse the impact of this criminal attack and identify what we need to do to restore our online systems in a safe and sustainable manner.”