The British Library, a beacon of knowledge and culture, recently fell victim to a ransomware attack by a group known as Rhysida. This group, believed to originate from Russia or the Commonwealth of Independent States, employs a sinister “double extortion” tactic, holding both data and access to systems hostage, thereby increasing their bargaining power.
Rhysida’s modus operandi is to infiltrate an organisation’s computer systems, block access, and steal sensitive data. The twist in their tale is the threat to release this stolen data online unless a ransom, typically demanded in cryptocurrency, is paid. This double-edged sword of extortion has seen Rhysida successfully target organisations worldwide, leaving a trail of disruption and fear in their wake.
The British Library is the latest in a string of high-profile victims. The attack on this esteemed institution has sent shockwaves through the global community, raising questions about the security measures in place and the vulnerability of even the most respected establishments. The incident has also sparked a debate on the need for more robust cybersecurity measures and the ethical implications of paying ransoms to such groups.
Cybersecurity researcher, Rik Ferguson VP Security Intelligence from Forescout commented,
“I would note that double, triple and even quadruple extortion techniques have been in use for a couple of years already. Originally ransomware related extortion was predicated on the encryption of critical file, i.e., denial of access, affecting the availability of data. Over time, attackers have sought to employ additional leverage to force victims to pay up. With double extortion came the threat of leaking the stolen data (impacting confidentiality), triple extortion added on DDoS attacks on the victim company (availability again) and quadruple extortion adds a fourth one, namely rifling through the stolen data for details of customers or partners and contacting them directly (confidentiality again).”
Rhysida’s reach is not limited to the United Kingdom. They have targeted government institutions in Portugal, Chile, and Kuwait, demonstrating their global ambitions and the scale of their operations. The exact identity of the group remains shrouded in mystery, but they are thought to have emerged from a criminal operation established in 2021. Their attacks typically involve common techniques like phishing and exploiting virtual private networks, highlighting the need for organisations to remain vigilant and proactive in their cybersecurity efforts.
Mr Ferguson went on to say,
“Perhaps the most remarkable thing about Rhysida is that it appears to be a very young ransomware strain operating in a Ransomware as a Service (RaaS) model, where various affiliates make use of the ransomware for attacks and the profit is divided between the affiliates and the malware authors. The attacks appear to be relatively manual and human-driven rather than widely automated, making use of stolen credentials, phishing and the exploitation of relatively old vulnerabilities. The attackers evade detaction once inside a victim organization by ‘living off the land’ using legitimate tools such as RDP, VPN connections, PSExec, and PowerShell. We fully expect the Rhysida ransomware to continue adding capabilities over the months to come.”
The rise of Rhysida is part of a worrying trend. Ransomware payments are increasing globally, coupled up with the growing sophistication of cybercriminals. The impact of these attacks extends beyond financial loss, with potential implications for privacy and the trust placed in institutions to safeguard PII.
More on Rhysida in a special report from KBI.Media soon.