Rhysida (hacker group)
{{Short description|Hacker group using ransomware}}
Rhysida is a ransomware group that encrypts data on victims' computer systems and threatens to make it publicly available unless a ransom is paid.{{cite web |last=Milmo |first=Dan |title=Rhysida, the new ransomware gang behind British Library cyber-attack |url=https://www.theguardian.com/technology/2023/nov/24/rhysida-the-new-ransomware-gang-behind-british-library-cyber-attack |website=The Guardian |access-date=2023-12-23 |date=2023-11-24}} The group uses eponymous ransomware-as-a-service techniques, targets large organisations rather than making random attacks on individuals, and demands large sums of money to restore data.{{cite web |last1=Hollingworth |first1=David |title=Snikt! Rhysida dumps more than a terabyte of Insomniac Games' internal data |url=https://www.cyberdaily.au/culture/9959-snikt-rhysida-dumps-more-than-a-terabyte-of-insomniac-games-internal-data |website=www.cyberdaily.au |access-date=2023-12-23 |language=en |date=19 December 2023}}
The group perpetrated the notable 2023 British Library cyberattack and Insomniac Games data dump.{{cite news|title=Wolverine: What we know about the cyberattack that leaked one of PlayStation's most anticipated games |url=https://news.sky.com/story/wolverine-what-we-know-about-the-cyberattack-that-leaked-one-of-playstations-most-anticipated-games-13034721 |website=Sky News |date=2023-12-20 |last=Acres|first=Tom}} It has targeted many organisations, including some in the US healthcare sector, and the Chilean army.{{Cite web |title=Rhysida ransomware – what you need to know|first=Graham|last=Cluley|author-link=Graham Cluley|publisher=Tripwire |date=10 August 2023 |url= https://www.tripwire.com/state-of-security/rhysida-ransomware-what-you-need-know}}
In November 2023, the US agencies Cybersecurity and Infrastructure Security Agency (CISA), FBI and MS-ISAC published an alert about the Rhysida ransomware and the actors behind it,{{cite web |title=CISA, FBI, and MS-ISAC Release Advisory on Rhysida Ransomware|url=https://www.cisa.gov/news-events/alerts/2023/11/15/cisa-fbi-and-ms-isac-release-advisory-rhysida-ransomware |publisher=Cybersecurity and Infrastructure Security Agency (CISA)|access-date=2023-12-23 |language=en |date=15 November 2023}} with information about the techniques the ransomware uses to infiltrate targets and its mode of operation.{{cite web |title=#StopRansomware: Rhysida Ransomware|url=https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-319a |publisher=Cybersecurity and Infrastructure Security Agency (CISA)|access-date=2023-12-23 |id=Alert Code AA23-319A|date=15 November 2023}}
The group may be based in the Commonwealth of Independent States.
The group takes its name from the genus of centipedes, and uses a centipede logo.
Attacks
- British Library cyberattack, 2023
- Insomniac Games data dump, releasing details of the Marvel's Wolverine game and employee details.{{cite web |title=Insomniac: PlayStation studio 'angered' by ransomware hack |url=https://www.bbc.co.uk/news/newsbeat-67805736 |website=BBC News |access-date=2023-12-24 |date=22 December 2023}}
- Chilean army{{cite web |title=Rhysida Ransomware Gang Strikes Again, Targets Chilean Army And Martinique |url=https://thecyberexpress.com/rhysida-ransomware-gang-cyber-attack/#:~:text=The%20notorious%20Rhysida%20ransomware%20gang%20has%20attacked%20Ej%C3%A9rcito,the%20Chilean%20Army%20on%20a%20dark%20web%20forum. |website=The Cyber Express |access-date=2023-12-25 |date=12 June 2023}}
- City of Columbus, Ohio{{cite news |last1=Bush |first1=Bill |title=Hackers release reams of stolen Columbus data on dark web |url=https://eu.dispatch.com/story/news/local/2024/08/08/city-columbus-data-public-dark-web-ransomware-hack-cyber-ohio-cybersecurity-stolen/74718671007/ |access-date=2024-08-10 |work=The Columbus Dispatch}} in July 2024 where over 3 TB of data was released onto the dark web, after an attempt to extort $1.7M (30 Bitcoin) from the city.
- Seattle-Tacoma International Airport, August 2024{{cite news |title=Sea-Tac cyberattack caused by global ransomware gang, Port says |url=https://www.seattletimes.com/life/travel/sea-tac-cyberattack-caused-by-global-ransomware-gang-port-says/ |access-date=2024-09-15 |work=The Seattle Times |date=13 September 2024}}
- Rutherford County Schools (Tennessee), November 2024{{cite news |title=Hackers appear to sell data stolen from Rutherford County Schools |url=https://www.wkrn.com/news/local-news/hackers-appear-to-sell-data-stolen-from-rutherford-county-tn-schools/amp/ |access-date=2024-12-11 |work=WKRN News 2 |date=11 December 2024}}
- Pembina Trails School Division, December 2024{{Cite news |last=Kitching |first=Chris |date=10 April 2025 |title=Hackers put price of $1.6M on student data |url=https://www.winnipegfreepress.com/breakingnews/2025/04/10/hackers-put-price-of-1-6m-on-personal-information-about-winnipeg-students-school-division-employees |url-status=live |archive-url=https://web.archive.org/web/20250414153740/https://www.winnipegfreepress.com/breakingnews/2025/04/10/hackers-put-price-of-1-6m-on-personal-information-about-winnipeg-students-school-division-employees |archive-date=14 April 2025 |access-date=14 April 2025 |work=Winnipeg Free Press}}
Ransomware as a service
The US CISA report states:
{{quote|Threat actors leveraging Rhysida ransomware are known to impact “targets of opportunity,” including victims in the education, healthcare, manufacturing, information technology, and government sectors. Open source reporting details similarities between Vice Society (DEV-0832) activity and the actors observed deploying Rhysida ransomware. Additionally, open source reporting has confirmed observed instances of Rhysida actors operating in a ransomware-as-a-service (RaaS) capacity, where ransomware tools and infrastructure are leased out in a profit-sharing model. Any ransoms paid are then split between the group and the affiliates.}}
References
{{reflist}}
{{Authority control}}
{{Use dmy dates|date=March 2025}}