In a countdown clock that showed that the auction would begin in seven days, the Rhysida cartel promoted an online auction that promised to sell Washington Times' unique data. The auction was set to start within seven days of the date of the notice. As a result of observing an unidentified criminal group deploying a new utility designed to terminate endpoint detection and response (EDR) tools, it appears that it is part of an attempt by the group to attack an organization with ransomware, RansomHub. 

As a result of this news, many security professionals began to express concern because RansomHub is used in many prominent hacks, including those against Change Healthcare, Frontier Communications, and Christie's auction house. The hacker group who attacked Columbus last week dumped over three terabytes of stolen data, including files belonging to employees, on the dark web early Thursday morning after their efforts to auction off the data failed to attract or satisfy buyers.

A few hours after a lengthy auction ended on the dark web, the Rhysida ransomware group started leaking the data after it had disappeared from the encryption site, according to Ohio State assistant professor Carter Yagemann, CMIT Solutions' Daniel Maldet, and other cybersecurity experts who have observed the onion site. As much as the hackers claimed that they had 6.5 terabytes of data at their disposal, only a portion of that data has been uploaded online, including databases that are backed up for dozens of city employees, and SQL backup files for entire databases that contain personal information. 

Since the files are so large, it is difficult to make out what exactly has been contained in them due to the size of the files. It is what NBC4 found, however, that Rhysida's leak not only included a list of employees' names from a company database but also a list of contractors and former employees who left the company in 2021, making it clear that the leak did not just cover current employees.

In a bid to sell off the massive amount of data it allegedly stole as a result of a city ransomware attack, a group claiming to have carried out the hack claims responsibility for several bank accounts being hacked by the thieves. According to the hacking gang Rhysida, who originally hacked into the City of Columbus servers to steal sensitive information, they have managed to steal 6.5 terabytes' worth of data. It was reported by multiple cybersecurity watchdogs, including Dark Web Intelligence and Ransom Look, that Rhysida is offering a service which can only be accessed using the specialized internet browser Tor, which has become synonymous with the dark web. 

The fine details about this treasure trove of compromised data have emerged after Columbus Mayor Andrew Ginther announced some of the city's online services had been shut down due to a ransomware attack that occurred on July 18. It is fair to say that the mayor has given credit to the city's IT department for cutting off access before any data from the city was encrypted by the hackers. However, he added that they are investigating how much of the data was stolen. 

In addition to not naming Rhysida or any other suspected hacking group on Monday, Corbett said the attack had been carried out by an "established and sophisticated threat actor working from overseas." It is stated on the group's website that the price for the data is 5 bitcoins, which are currently worth $295,198.50 at the time of this writing. This group does not specify what the data supposedly consists of in the post, but a screenshot that is attached to the post appears to show many scans of official documents, including an identification card and a Texas driver's license. 

Previously, cybersecurity analyst Dominic Alvier told a story on the Daily Dot that based on the screenshot, it didn't appear that the hackers had accessed any critical information other than your personal information, which could be linked to someone in your organization. The Daily Dot contacted Rhysida for information regarding the alleged breach but has not received a response to the inquiry. In addition, it remains unclear if there have been any negotiations between the hacking group and the outlet itself. As of Wednesday afternoon, the Washington Times had not made any public statements regarding the alleged cyberattack that targeted its systems. 

Despite attempts to seek clarification, the publication did not respond to an email inquiry from the Daily Dot at the time of their report. The incident drew attention to the Rhysida ransomware group, which has been recognized by U.S. government advisories as a significant cyber threat. Rhysida operates under a subscription-based model known as Ransomware as a Service (RaaS), where it leases its ransomware tools to cybercriminals. This model has facilitated attacks across various sectors, including education, healthcare, manufacturing, information technology, and government, since Rhysida's emergence in May 2023. 

Earlier this month, Rhysida gained widespread attention after successfully hacking a law enforcement agency in a Florida county. The group threatened to expose sensitive data, including scanned driver’s licenses and fingerprints, highlighting the severity of the breach. Cybersecurity experts have noted that while the identities of those behind Rhysida remain unknown, the group's operational patterns are reminiscent of cybercriminals based in Russia, Belarus, and Kazakhstan. 

Rafe Pilling, Director of Threat Research at Secureworks, has emphasized that Rhysida exhibits behaviours common to criminal organizations in these regions. Since its inception, the Rhysida group has claimed responsibility for 114 cyberattacks, a fact evidenced by the list of victims published on its dark web blog. This list underscores the group's approach of targeting "targets of opportunity," as it has infiltrated multiple sectors, including education, healthcare, manufacturing, and local government entities. 

An updated profile by the U.S. Defense Department in November 2023 corroborates these findings. Rhysida's operations are further characterized by their use of double extortion tactics. In this approach, even after victims have paid the initial ransom to receive a decryption key, the group threatens to leak the stolen data unless a second payment is made. This strategy adds another layer of pressure on the victims, exacerbating the impact of the attacks. This year, Rhysida took responsibility for breaches at the British Library, the world’s largest repository of historical knowledge, and the Anne & Robert H. Lurie Children’s Hospital in Chicago. 

These incidents further demonstrate the group’s willingness to target prestigious and vulnerable institutions. The growing list of Rhysida’s victims serves as a stark reminder of the pervasive and escalating nature of ransomware threats in today’s digital landscape. The recent incident involving The Washington Times is yet another example of the significant damage cyberattacks can inflict, particularly when they target well-known organizations. 

The audacity of Rhysida’s operations underscores the critical need for organizations to prioritize robust cyber defence mechanisms. Protecting sensitive data has become increasingly important as cyber threats continue to evolve and grow more sophisticated. Security analysts consistently recommend the adoption of strong data protection policies to effectively combat ransomware. As The Washington Times and other organizations navigate these complex threats, they must remain acutely aware of the high stakes involved, not only in their operations but also in their readership and the broader media environment. 

In summary, the ongoing activities of the Rhysida group illustrate the serious challenges posed by ransomware in the current cybersecurity climate. Each incident involving Rhysida offers invaluable lessons for organizations striving to develop effective strategies to counter and prevent future attacks.