Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Ransomware group. Show all posts
Ransomware group
Black Basta Conti Ransomware Cyber Extortion Cybercrime Investigation Data Breach Interpol Red Notice Oleg Nefedov ransomware attacks Ransomware group

Black Basta Under Pressure After Ukraine Germany Enforcement Operation


 

Investigators say the Black Basta ransomware campaign left a trail of disruption that extended across Europe and beyond, impacting everything from hospital wards to industrial production lines that were abruptly halted, resulting in a temporary ban of internet and phone use.

Prosecutors from the German Federal Ministry of Justice, along with international law enforcement partners, now believe that the trail of this extortion, the most damaging in recent years, can be traced back to one individual who they describe as the driving force behind one of these operations. 

There has been an investigation into whether Oleg Nefedov was the architect and operational leader of the Black Basta group. Authorities have identified him as a Russian national. 

Authorities accuse him of coordinating a massive ransomware campaign against companies and public institutions across multiple continents by forming and leading an overseas criminal organization.

There is a suspicion among investigators that Nefedov was responsible for leading the organization's core activities, including selecting targets, recruiting affiliates, orchestrating intrusions, and negotiating ransoms, while the proceeds of the transactions were laundered via cryptocurrency wallets and distributed among all participants in the scheme.

Black Basta was also analyzed from an online alias perspective and suspected ties to a now-defunct ransomware collective named Conti. This reinforces the assessment that Black Basta arose from an advanced and interconnected cybercrime ecosystem that has matured over many years. 

Officials from the Federal Republic of Germany have confirmed that Nefedov still resides in Russia and that he has been placed on Interpol's international wanted list, an indication that European authorities have intensified their efforts to identify and pursue the individuals behind cyber extortion committed in large scale industrial scales. 

The Federal Criminal Police Office of Germany has confirmed that Oleg Nefedov, a 36-year-old Russian national suspected of leading the Black Basta ransomware group, is one of the suspected leaders of the ransomware. He is charged with forming criminal organizations abroad, orchestrating large-scale extortion crimes, and committing related cyber crimes. 

A central coordinator was alleged by investigators to be Nefedov. During his time at the group, Nefedov selected targets, recruited and managed members, assigned operational roles, negotiated ransom demands, and distributed extorted proceeds, which were usually paid in cryptocurrency, according to the investigation. 

There were several aliases he operated under on the internet-including tramp, tr, gg, kurva, AA, Washingt0n, and S.Jimmi-and authorities say he may have maintained a connection to the now-defunct Conti ransomware group. 

According to German authorities, Nefedov is believed to be in Russia at the moment, though his exact location remains unclear. Interpol has also added him to a global wanted list. In recent months, the investigation has been further strengthened by numerous disclosures and enforcement actions that have heightened the investigation. 

A leaked internal chat log attributed to Black Basta, which gave rare insights into the group's organization, operations, and communications, as well as exposing identifying information about the individuals involved. This information provided an insight into the organization's inner workings and daily operations. 

According to cybersecurity researchers, many of the Black Basta members previously operated within criminal networks that were closely linked to the Conti and Ryuk ransomware strains, as well as the TrickBot banking trojan — operations that have led Western governments to identify and sanction more than a dozen individuals for their involvement in such attacks. 

According to researchers and investigators, Black Basta is the result of the collapse of Conti, a ransomware operation which fragmented into smaller, semi-autonomous cells after it shut down. In a recent study published by the International Security Agency, Black Basta has been widely interpreted as a rebranding of the former Conti infrastructure, with many of those splinter groups either embedding themselves into existing ransomware schemes or controlling existing operations. 

It has been demonstrated that this view has been reinforced by a review of leaked internal communications by Trellix researchers. According to those who reviewed the Black Basta chat logs, GG and Chuck were exchanging emails about a purported $10 million reward for information about an individual, referred to as “tr” or “-amp,” an individual which researchers believe corresponds to a bounty offered by the U.S. Government for information that will lead to the identification of key Conti figures, including Tramp, the hacker. 

Additionally, Trellix researchers found that within the leaked conversations, GG was identified as Tramp, who had been regarded as Conti's leader for some time, by a participant called "bio," sometimes known as "pumba," a figure who was previously connected to the Conti organization. 

These findings echo those released earlier in February 2022, when a researcher revealed Conti's internal chats in the aftermath of the Russian invasion of Ukraine, revealing internal dynamics and explicitly referring to Tramp as leader of the group. 

It is well-known that such leaks have long been a source of attribution efforts within the cybersecurity industry, but German authorities say that their current case rests on evidence gathered through intelligence and investigation on the German side. 

Oleg Nefedov has been identified formally as the head of the Black Basta ransomware group by Europol, and the Interpol red notice database has been updated with his name. This is a crucial step in the international effort to enquire about the group's activities, marking a decisive step in the effort to enshrine accountability for the group. 

The data breach is the result of an attack on more than 500 organizations across North America, Europe, and Australia by means of Black Basta's ransomware-as-a-service model, which was active since April 2022 and caused hundreds of millions of dollars in damage in the process.

Two suspects in western Ukraine, which were allegedly acting as hash crackers in order to help facilitate network intrusions, data theft, and ransomware deployment, were also announced by German authorities. The police seized digital devices and cryptocurrency during raids that are related to the incident, and are currently conducting forensic analysis of the evidence. 

Official figures underscore the scale of the damage attributed to the group. An official press release from the German authorities stated that documented Black Basta attacks have caused prolonged operational disruptions at over 100 companies in Germany, as well as over 700 organizations worldwide, including hospitals, public institutions, and government agencies. 

In Germany, it is estimated that losses will exceed 20 million euros in the next few years. Research conducted in December 2023 by blockchain analytics firm Elliptic and Corvus Insurance found that over the course of the past four years, the group accumulates at least $107 million in Bitcoin ransom payments, which has been determined to be paid by over 329 victims in 31 countries across the world. 

A detailed analysis of blockchain transactions also revealed a clear financial and operational link between Black Basta and Conti, which supported the conclusions of law enforcement that this syndicate grew out of a well-established, interconnected cybercrime ecosystem that was well-established and interconnected. 

In light of the scope and selectivity of Black Basta's operations, it is evident why it has been a top priority for law enforcement and security researchers to investigate. A number of victims have been confirmed, including Rheinmetall, Hyundai, BT Group, Ascension, ABB, the American Dental Association, U.K.-based outsourcing company Capita, the Toronto Public Library, the Yellow Pages Canada, and others. 

These victims include German defense contractor Rheinmetall, Hyundai's European division, BT Group, as well as the United States healthcare provider Ascension. According to the researchers, the group did not operate in an indiscriminate manner, but applied a targeted strategy based on geography, industry, and organizational revenue, while also closely tracking geopolitical developments in order to reduce the likelihood of retaliation from law enforcement agencies. 

A ransomware operation known as Black Basta, which is characterized by a focus on large, high-revenue organizations with the ability to pay large ransoms, was known to be targeting large, high-revenue organizations. Based on internal communications, it appears that entities in both the United States and Germany were the most likely to pay a ransom. 

There are 57 percent of victims in the United States who had reported a leak between April 2022 and January 2025, with Germany accounting for 12 percent, while additional victims were observed throughout Europe, Asia Pacific and the Americas as well. 

Accordingly, that assessment is reflected in activity observed on the group's leak site. Several leaks of internal chats in the group have introduced rare insights into the group's internal structure, its financial management, and its extortion practices, which have strengthened efforts to identify key actors and disrupt their operations by exposing real-world names and financial transactions. 

Despite the fact that Black Basta’s data leak site is currently offline, analysts warn that the group still has the resources and incentives to re-emerge, either by adopting a new name or partnering with other ransomware crews, illustrating how authorities continue to face challenges in dismantling entrenched cybercrime networks rather than simply disrupting them, even when the site is offline. 

Together, these findings present a detailed portrayal of a ransomware operation that developed out of a fractured but resilient cybercrime ecosystem into a global enterprise that has far-reaching consequences. Having identified an alleged leader along with financial tracing, leaking internal communications, and coordinated international enforcement, German authorities state that the investigation has matured—with an emphasis not only on disruption, but also on attribution and accountability for ransomware. 

It should be noted that while law enforcement actions have slowed Black Basta's visible activities, experts and officials agree that dismantling such networks will take years, especially when key figures are believed to be operating in jurisdictions that are beyond the reach of law enforcement officials. 

In addition to demonstrating the extent of the harm caused by ransomware campaigns, the case also highlights the growing determination of governments to pursue those responsible, even through the broader cybercrime landscape continues to evolve, fragment, and resurface.
Read more »
Ransomwares
Colt ransomware attack Colt WarLock hackers Customer Data Cyber Attacks Dark Web data stealing Ransom Demand ransomware attacks Ransomware group Ransomwares

Colt Technology Services Confirms Customer Data Theft After Warlock Ransomware Attack



UK-based telecommunications provider Colt Technology Services has confirmed that sensitive customer-related documentation was stolen in a recent ransomware incident. The company initially disclosed on August 12 that it had suffered a cyberattack, but this marks the first confirmation that data exfiltration took place. In its updated advisory, Colt revealed that a criminal group accessed specific files from its systems that may contain customer information and subsequently posted the filenames on dark web forums. 

To assist affected clients, Colt has set up a dedicated call center where customers can request the list of exposed filenames. “We understand that this is concerning for you,” the company stated in its advisory. Notably, Colt also implemented a no-index HTML meta tag on the advisory webpage, ensuring the content would not appear in search engine results. 

The development follows claims from the Warlock ransomware gang, also known as Storm-2603, that they are auctioning one million stolen Colt documents for $200,000 on the Ramp cybercrime marketplace. The group alleges the files contain financial data, customer records, and details of network architecture. 
Cybersecurity experts verified that the Tox ID used in the forum listing matches identifiers seen in the gang’s earlier ransom notes, strengthening the link to Colt’s breach. The Warlock Group, attributed to Chinese threat actors, emerged in March 2025 and initially leveraged leaked LockBit Windows and Babuk VMware ESXi encryptors to launch attacks. Early operations used LockBit-style ransom notes modified with unique Tox IDs to manage negotiations. 

By June, the group rebranded under the name “Warlock Group,” establishing its own negotiation platforms and leak sites to facilitate extortion. Recent intelligence reports, including one from Microsoft, have indicated that the group has been exploiting vulnerabilities in Microsoft SharePoint to gain unauthorized access to corporate networks. Once inside, they deploy ransomware to encrypt data and steal sensitive files for leverage. 

The group’s ransom demands vary significantly, ranging from $450,000 to several million dollars, depending on the target organization and data involved. Colt’s disclosure highlights ongoing challenges faced by enterprises in safeguarding critical infrastructure against sophisticated ransomware actors. Telecommunications companies, which manage vast volumes of sensitive customer and network data, remain particularly attractive targets. 

As threat actors refine their tactics and increasingly combine encryption with data theft, the risks to both organizations and their clients continue to escalate. While Colt has not confirmed whether it plans to engage with the ransomware operators, the company emphasized its focus on mitigating the impact for customers. 

For now, the stolen documents remain for sale on the dark web, and the situation underscores the broader need for enterprises to strengthen resilience against the evolving ransomware landscape.
Read more »
Ransomwares
customer data compromise Cyber Attacks Data Breaches Data Leak data security RansomHub RansomHub ransomware ransomware attacks Ransomware group Ransomwares

Manpower Data Breach Hits 145,000 After RansomHub Ransomware Attack

 

Manpower, one of the world’s largest staffing and recruitment companies, has confirmed that nearly 145,000 individuals had their personal data compromised following a ransomware attack in late December 2024. The company, which operates as part of ManpowerGroup alongside Experis and Talent Solutions, employs more than 600,000 workers across 2,700 offices worldwide and reported $17.9 billion in revenues last year. 

The breach came to light after the company investigated a systems outage at a Lansing, Michigan, franchise in January 2025. According to a filing with the Office of the Maine Attorney General, attackers gained unauthorized access to Manpower’s network between December 29, 2024, and January 12, 2025. In notification letters sent to affected individuals, Manpower revealed that certain files may have been accessed or stolen during this time. The company stated that the breach potentially exposed personal information, though the full scope of data compromised remains undisclosed. 

On July 28, 2025, the staffing firm formally notified 144,189 individuals that their data may have been involved in the incident. Following the discovery, Manpower announced that it had implemented stronger IT security measures and is cooperating with the FBI to pursue those responsible. To mitigate the impact on victims, the company is also offering complimentary credit monitoring and identity theft protection services through Equifax. 

The ransomware group RansomHub has claimed responsibility for the attack. In January, shortly after Manpower disclosed the incident, the group alleged that it had stolen 500GB of sensitive files from the company’s systems. According to RansomHub, the stolen trove included personal and corporate records such as passports, Social Security numbers, contact details, financial documents, HR analytics, and confidential contracts. The gang initially published details of the breach on its dark web site but later removed Manpower’s listing, raising speculation that a ransom may have been paid to prevent further data leaks. 

RansomHub is a ransomware-as-a-service (RaaS) operation that emerged in early 2024, evolving from earlier groups known as Cyclops and Knight. Since then, it has been linked to numerous high-profile attacks against global organizations, including Halliburton, Kawasaki’s European operations, Christie’s auction house, Frontier Communications, Planned Parenthood, and the Bologna Football Club. The group was also behind the leak of data stolen in the massive Change Healthcare cyberattack, one of the largest breaches in the U.S. healthcare sector, impacting more than 190 million individuals. 

Last year, the FBI reported that RansomHub affiliates had breached over 200 critical infrastructure organizations across the United States, further underlining the group’s reach and persistence. While ManpowerGroup has not confirmed the exact nature of the stolen data or whether negotiations occurred, a company spokesperson clarified that the incident was confined to an independently operated franchise in Lansing. The spokesperson emphasized that the franchise runs on a separate platform, meaning no ManpowerGroup corporate systems were compromised.

The breach highlights the growing risks ransomware attacks pose to global enterprises, particularly those handling large volumes of sensitive employee and client data. It also reflects how threat actors like RansomHub continue to exploit vulnerabilities in third-party and subsidiary operations, targeting organizations indirectly when direct access to corporate systems is more difficult.
Read more »
Ransomwares
Cyber Security Cyberattacks DarkBit Encryption Key Iran Israel MuddyWater ransomware attacks Ransomware group Ransomwares

Profero Cracks DarkBit Ransomware Encryption After Israel-Iran Cyberattack Links

 

Cybersecurity company Profero managed to break the encryption scheme used by the DarkBit ransomware group, allowing victims to restore their systems without having to pay a ransom. This achievement came during a 2023 incident response investigation, when Profero was called in to assist a client whose VMware ESXi servers had been locked by the malware. 

The timing of the breach coincided with escalating tensions between Israel and Iran, following drone strikes on an Iranian Defense Ministry weapons facility, raising suspicions that the ransomware attack had political motivations. The attackers behind the campaign claimed to represent DarkBit, a group that had previously posed as pro-Iranian hacktivists and had targeted Israeli universities. Their ransom messages included strong anti-Israel rhetoric and demanded payments amounting to 80 Bitcoin. 

Israel’s National Cyber Command later attributed the operation to MuddyWater, a well-known Iranian state-backed advanced persistent threat group that has a history of conducting espionage and disruption campaigns. Unlike conventional ransomware operators who typically pursue ransom negotiations, the DarkBit actors appeared less concerned with money and more focused on causing business disruption and reputational harm, signaling motivations that aligned with state-directed influence campaigns. 

When the attack was discovered, no publicly available decryptor existed for DarkBit. To overcome this, Profero researchers analyzed the malware in detail and found flaws in its encryption process. DarkBit used AES-128-CBC keys created at runtime, which were then encrypted with RSA-2048 and appended to each locked file. However, the method used to generate encryption keys lacked randomness. By combining this weakness with encryption timestamps gleaned from file modification data, the researchers were able to shrink the possible keyspace to just a few billion combinations—far more manageable than expected. 

The team further capitalized on the fact that Virtual Machine Disk (VMDK) files, common on ESXi servers, include predictable header bytes. Instead of brute forcing an entire file, they only needed to check the first 16 bytes to validate potential keys. Profero built a custom tool capable of generating key and initialization vector pairs, which they tested against these known file headers in a high-powered computing environment. This method successfully produced valid decryption keys that restored locked data. 

At the same time, Profero noticed that DarkBit’s encryption technique was incomplete, leaving many portions of files untouched. Since VMDK files are sparse and contain large amounts of empty space, the ransomware often encrypted irrelevant sections while leaving valuable data intact. By carefully exploring the underlying file systems, the team was able to retrieve essential files directly, without requiring full decryption. This dual approach allowed them to recover critical business data and minimize the impact of the attack.  

Researchers noted that DarkBit’s strategy was flawed, as a data-wiping tool would have been more effective at achieving its disruptive aims than a poorly implemented ransomware variant. The attackers’ refusal to negotiate further reinforced the idea that the campaign was intended to damage operations rather than collect ransom payments. Profero has chosen not to release its custom decryptor to the public, but confirmed that it is prepared to help any future victims affected by the same malware.  

The case illustrates how weaknesses in ransomware design can be turned into opportunities for defense and recovery. It also highlights how cyberattacks tied to international conflicts often blur the line between criminal extortion and state-backed disruption, with groups like DarkBit using the guise of hacktivism to amplify their impact.
Read more »
Ransomwares
Cyber Attacks Data Leak data security Data Theft DragonForce DragonForce Ransomware Group Hacker attack Hacking Group Ransomware attack Ransomware group Ransomwares

Belk Hit by Ransomware Attack as DragonForce Claims Responsibility for Data Breach

 

The department store chain Belk recently became the target of a ransomware attack, with the hacking group DragonForce taking responsibility for the breach. The cybercriminals claim to have stolen 156 GB of sensitive data from the company’s systems in early May. 

JP Castellanos, Director of Threat Intelligence at cybersecurity firm Binary Defense, stated with high confidence that DragonForce is indeed behind the incident. The company, based in Ohio, specializes in threat detection and digital forensics. During an investigation of dark web forums on behalf of The Charlotte Observer, Castellanos found that DragonForce had shared samples of the stolen data online. 

In a message directed at Belk, the group stated that its original aim wasn’t to damage the company but to push it into acknowledging its cybersecurity failures. DragonForce claims Belk declined to meet ransom demands, which ultimately led to the data being leaked, affecting numerous individuals. 

Following the breach, Belk has been named in multiple lawsuits. The complaints allege that the company not only failed to protect sensitive personal information but also delayed disclosing the breach to the public. Information accessed by the attackers included names, Social Security numbers, and internal documentation related to employees and their families. 

The cyberattack reportedly caused a complete systems shutdown across Belk locations between May 7 and May 11. According to a formal notice submitted to North Carolina’s Attorney General, the breach was discovered on May 8 and disclosed on June 4. The total number of affected individuals was 586, including 133 residents of North Carolina. 

The stolen files contained private details such as account numbers, driver’s license data, passport information, and medical records. Belk responded by initiating a full-scale investigation, collaborating with law enforcement, and enhancing their digital security defenses. On June 5, Belk began notifying those impacted by the attack, offering one year of free identity protection services. These services include credit and dark web monitoring, as well as identity restoration and insurance coverage worth up to $1 million. 

Despite these actions, Belk has yet to issue a public statement or respond to ongoing media inquiries. DragonForce, identified by experts as a hacktivist collective, typically exploits system vulnerabilities to lock down company networks, then demands cryptocurrency payments. If the demands go unmet, the stolen data is often leaked or sold. 

In Belk’s case, the group did not list a price for the compromised data. Castellanos advised anyone who has shopped at Belk to enroll in credit monitoring as a precaution. Belk, which was acquired by Sycamore Partners in 2015, has been working through financial challenges in recent years, including a short-lived bankruptcy filing in 2021. 

The retailer, now operating nearly 300 stores across 16 southeastern U.S. states, continues to rebuild its financial footing amid cybersecurity and operational pressures.
Read more »
Ransomwares
Cyberattack Data Breach Data Leak data security Employee Data Healthcare Interlock gang Interlock ransomware Kettering Health Ransomware attack Ransomware group Ransomwares

Kettering Health Ransomware Attack Linked to Interlock Group

 

Kettering Health, a prominent healthcare network based in Ohio, is still grappling with the aftermath of a disruptive ransomware attack that forced the organization to shut down its computer systems. The cyberattack, which occurred in mid-May 2025, affected operations across its hospitals, clinics, and medical centers. Now, two weeks later, the ransomware gang Interlock has officially taken responsibility for the breach, claiming to have exfiltrated more than 940 gigabytes of data.  

Interlock, an emerging cybercriminal group active since September 2024, has increasingly focused on targeting U.S.-based healthcare providers. When CNN first reported on the incident on May 20, Interlock had not yet confirmed its role, suggesting that ransom negotiations may have been in progress. With the group now openly taking credit and releasing some of the stolen data on its dark web site, it appears those negotiations either failed or stalled. 

Kettering Health has maintained a firm position that they are against paying ransoms. John Weimer, senior vice president of emergency operations, previously stated that no ransom had been paid. Despite this, the data breach appears extensive. Information shared by Interlock indicates that sensitive files were accessed, including private patient records and internal documents. Patient information such as names, identification numbers, medical histories, medications, and mental health notes were among the compromised data. 

The breach also impacted employee data, with files from shared network drives also exposed. One particularly concerning element involves files tied to Kettering Health’s in-house police department. Some documents reportedly include background checks, polygraph results, and personally identifiable details of law enforcement staff—raising serious privacy and safety concerns. In a recent public update, Kettering Health announced a key development in its recovery process. 

The organization confirmed it had restored core functionalities of its electronic health record (EHR) system, which is provided by healthcare technology firm Epic. Officials described this restoration as a significant step toward resuming normal operations, allowing teams to access patient records, coordinate care, and communicate effectively across departments once again. The full scope of the breach and the long-term consequences for affected individuals still remains uncertain. 

Meanwhile, Kettering Health has yet to comment on whether Interlock’s claims are fully accurate. The healthcare system is working closely with cybersecurity professionals and law enforcement agencies to assess the extent of the intrusion and prevent further damage.
Read more »
Ransomwares
Customer Data Cyberattack Data Breach Data Leak data security Personal Information personal information exposure Qilin Qilin Ransomware Ransomware attack Ransomware group Ransomwares

Lee Enterprises Ransomware Attack Exposes Data of 40,000 Individuals

 

Lee Enterprises, a major U.S. news publisher, is alerting nearly 40,000 individuals about a data breach following a ransomware attack that took place in early February 2025. The company, which owns and operates 77 daily newspapers and hundreds of weekly and special-interest publications across 26 states, reported that the cyberattack resulted in the theft of personal information belonging to thousands of people. 

Details of the breach were revealed in a recent disclosure to the Maine Attorney General’s office. According to the company, the attackers gained unauthorized access to internal documents on February 3, 2025. These files contained combinations of personal identifiers such as names, Social Security numbers, driver’s license details, bank account information, medical data, and health insurance policy numbers. The security incident caused widespread operational disruptions. 

Following the attack, Lee Enterprises was forced to shut down multiple parts of its IT infrastructure, impacting both the printing and delivery of its newspapers. Several internal tools and systems became inaccessible, including virtual private networks and cloud storage services, complicating daily workflows across its local newsrooms. In a filing with the U.S. Securities and Exchange Commission shortly after the breach, the company confirmed that critical systems had been encrypted and that a portion of its data had been copied by the attackers. 

The source of the attack is yet to be identified, a group known as Qilin has allegedly claimed responsibility near the end of February. The group alleged it had stolen over 120,000 internal files, totaling 350 gigabytes, and threatened to publish the material unless their demands were met. Soon after, Qilin posted a sample of the stolen data to a dark web leak site, which included scans of government-issued IDs, financial spreadsheets, contracts, and other confidential records. The group also listed Lee Enterprises as a victim on its public-facing extortion portal. 

When asked about the authenticity of the leaked data, a spokesperson for Lee Enterprises stated the company was aware of the claims and was actively investigating. This is not the first cybersecurity issue Lee Enterprises has faced. The company’s network was previously targeted by foreign actors during the lead-up to the 2020 U.S. presidential election, where hackers from Iran allegedly attempted to use compromised media outlets to spread disinformation. 

The ransomware attack highlights ongoing threats facing media companies, especially those handling high volumes of personal and financial data. As Lee Enterprises continues its recovery and legal steps, the incident serves as a reminder of the need for robust digital defenses in today’s information-driven landscape.
Read more »
Rhysida ransomware gang
Data Breach Data Leak Extortion Ransomware attack Ransomware group Ransomwares Rhysida Rhysida Ransomware Rhysida ransomware gang

Rhysida Ransomware Group Leaks 1.3M Files Stolen from Oregon DEQ After Failed Extortion Attempt

 

A major ransomware breach has rocked the Oregon Department of Environmental Quality (DEQ), with over 1.3 million files—amounting to 2.4 terabytes—dumped online by the cybercriminal group Rhysida. The stolen data, now circulating on the dark web, reportedly includes confidential information linked to DEQ employees. Whether personal data of Oregon residents outside the agency was compromised remains unconfirmed. DEQ first disclosed system disruptions on April 9, attributing them to a suspected cyberattack. 

The agency, responsible for regulating pollution, waste, air quality, and smog checks for vehicle registrations, had to suspend several core services as a result. An investigation into the breach is underway, but DEQ has not officially confirmed the volume or content of the compromised data. However, Rhysida’s own dark web site claimed responsibility, stating that it attempted to contact DEQ but was ignored. The group then released the data publicly, writing: “They think their data hasn’t been stolen. They’re sorely mistaken.” Before the leak, the group had placed a $2.5 million price tag—30 Bitcoins—on the files, offering them at auction to the highest bidder. 

By April 24, some of the stolen content had reportedly been sold, while the remaining files were made freely available for download. The breach has had serious operational consequences. For nearly a week following the attack, DEQ employees were locked out of their internal systems and email. Emails sent between April 9 and 11 were lost entirely. Vehicle emissions testing—a requirement for registrations in parts of Oregon—was halted across all non-DEQ testing locations, though some services resumed at DEQ-owned facilities on April 14. In a statement issued April 19, DEQ confirmed that employees were gradually regaining access to their work devices, moving from phones back to laptops. 

Despite the cyber disruption, spokesperson Lauren Wirtis said DEQ’s mission-critical services via its online platform DEQ Online remained operational and unaffected. Rhysida, an increasingly active ransomware gang, has previously attacked global organizations including the British Library, Chilean Army, and the Port of Seattle. Their tactics typically include data theft, extortion, and high-pressure ransom demands. 

Oregon’s Enterprise Information Services is leading the forensic investigation, alongside efforts to strengthen state cybersecurity systems. As of April 26, DEQ clarified that no ransom negotiations had occurred, and the timeline for completing the investigation remains uncertain.
Read more »
Subscribe to: Comments (Atom)