Rhysida Ransomware Group, Which Crippled the British Library Racking Up £6 to £7 Million in Recovery Costs, Turns Its Wrath on Hospitals, Power Plants, and Schools in the UK, Europe, and the Middle East, Warns eSentire

On October 31, 2023, the Rhysida Ransomware Group launched a crippling attack on the British Library. Although the library did not pay the criminals’ ransom demand of £650,000, library authorities are now estimating that it will cost between £6 Million and £7 Million to rebuild the library’s IT systems. This hefty price tag is going to cost the organisation approximately 40 percent of its “unallocated cash reserves,” according to library officials.

The Rhysida criminals emerged onto the ransomware scene in May 2023, and in less than nine months, they claim to have victimised 77 companies and public institutions on their Dark Web leak site. Top global cybersecurity solutions provider, eSentire, investigated the group’s victim list and the purported evidence they stole from each organisation and posted to their leak site.

eSentire’s security research team, the Threat Response Unit (TRU), assesses with high confidence that the companies and public institutions Rhysida claims to have hit have indeed been compromised by the Rhysida cybercriminals.

In the last three and a half months, the Rhysida group not only compromised the British Library, but many organisations in the UK, Europe, and the Middle East. Many of the targets include critical infrastructure such as hospitals, schools, power plants, and well-known public institutions.

Rhysida operates as a Ransomware-as-a-Service. The group leases their ransomware tools and infrastructure to affiliates, and the affiliates pay the Rhysida operators a share of the ransom monies they collect.

The Connection Between Vice Society and Rhysida—Partners in Crime?

TRU and other cybersecurity researchers have identified several similarities between Rhysida’s Tactics, Techniques, and Procedures (TTPs) and those of the Vice Society Ransomware Group. Vice Society emerged on the ransomware scene in late 2020 and was extremely active up until May 2023, when the Rhysida group first appeared.

Similar to Rhysida, Vice Society targeted organisations in the education and healthcare sectors. One of the ransomware group’s most debilitating attacks was in September 2022 against the Los Angeles Unified School District (LAUSD). At the time of the attack, the school district included 1,000 schools and served approximately 600,000 students.

Two weeks after the attack, the district was still working to recover and bring its IT systems back online. To add insult to injury, the threat actors threatened to publish 500 gigabytes of data that they had stolen from the school district on their underground leak site if the LAUSD didn’t pay the ransom.

The school officials refused to pay the hackers, so they released the stolen data, which included Social Security numbers, financial information, health records, and legal records belonging to the students. The students’ parents were so upset that LAUSD was forced to set up a hotline to respond to their queries.

Interestingly, when Rhysida came on the ransomware scene in May 2023, Vice Society’s activity dropped off considerably, they only posted a handful of victims on their leak site between May and November 2023. One might theorise that Vice Society simply shed its name and adopted the Rhysida title or that the Vice Society threat actors ditched their operation and joined up with the Rhysida operators and their affiliates.

The Rhysida threat actors hit their targets with double extortion, demanding victims pay a hefty ransom to regain access to their data and avoid having their data exposed online. Although Rhysida is yet to become a household name like well-known RaaS groups, LockBit and Clop, the criminal gang is quickly catching up with its notorious peers.

As such, TRU is warning businesses and public entities to put security defences in place to protect their critical data and applications and avoid business disruption from the Rhysida group, as well as other threat groups.

Rhysida’s operators and their affiliates are capable of causing substantial destruction, with little remorse, as readers will see from the following cyber incidents and the ransom note the threat actors leave each victim (Figure 1).

Rhysida Ransomware Group Cripples the British Library

The Rhysida group’s assault against the British Library on October 31, 2023 took many of the library’s systems down, including online access to their primary catalogue, which contains 36 million records of printed and rare books, maps, journals and music scores, depended on by researchers around the world.

At publication, it has been twelve weeks since the attack, and patrons can only access the library’s main catalogue, in a “read-only ” format. The British Library is one of the world’s largest and most prestigious libraries, with an estimated 170 to 200 million items.

According to the Library’s Chief Executive, Sir Roly Keating, the attack also took down several of their other core digital services, such as their online learning resources and their main website. Their main website is still not restored. Patrons are having to use a temporary, scaled back version of their website.

Keating described the attack in a December 2023 blog saying: “This was a ransomware attack, by a criminal group known for such activity, and its effects were deep and extensive. Our online systems and services were massively disrupted, our website went down, and we initially lost access to even basic communication tools such as email. We took immediate action to isolate and protect our network, but significant damage was already done: having breached our systems, the attackers had destroyed their route of entry and much else besides, encrypting or deleting parts of our IT estate. They also copied a significant chunk of our data, which they attempted to auction online and, a month later, released most of it onto their site on the dark web. The Library itself remains a crime scene, with a forensic investigation of our disrupted network still ongoing. In parallel, our teams are examining and analysing the almost 600 gigabytes of leaked material that the attackers dumped online – difficult and complex work that is likely to take months.”

As Keating noted, the Rhysida threat actors not only encrypted many of the library’s systems, they also stole 600 gigabytes of information from the library including personal information relating to some of the library’s employees. They posted images from some of this data on their Dark Web leak site, including several passport scans and other documents, which appeared to be employment documents.

On or around November 20, the Rhysida threat actors began their seven-day auction, giving buyers a deadline for bids ending just before 0800 UTC on November 27. Their starting bid for the information was 20 Bitcoin, equaling approximately £590,000.

"With just 7 days on the clock, seize the opportunity to bid on exclusive, unique, and impressive data," said the message on Rhysida's Dark Web leak site. "Open your wallets and be ready to buy exclusive data. We sell only to one hand, no reselling, you will be the only owner.”

Rhysida Steals Personal Data from Library Patrons and Employees

Initially, it was believed that the cyberattackers only stole personal data belonging to the library’s employees, however, on December 18, 2023, the British Library notified the public that some personal data belonging to users of the library had also been stolen.

“Last week the attackers released some of our data onto the Dark Web including some personal user information,” said British Library spokespersons. “We have contacted our users to alert them to this incident and to offer advice from the National Cyber Security Centre (NCSC) on how to protect themselves, including updating their passwords on other systems. Because our systems are still unavailable, you can’t change the password for our services. However, if you use the same password for non-British Library services, we recommend that you change it as a precaution.”

Several of the library’s systems continue to be down, including the library’s main website. The website states: “We are continuing to experience a major technology outage, as a result of a cyber-attack. Our buildings are open as usual, however, the outage is still affecting our website, online systems and services, as well as some onsite services. This is a temporary website, with limited content outlining the services that are currently available, as well as what is on at the Library.” (Figure 2).

Library patrons did receive some positive news. On February 9, Library Chief Executive Roly Keating said, “Although the various manual workarounds that we have had in place since 15 January may be different from normal, they’ve enabled us to resume our core responsibility of providing access to the collection. Our catalogue becoming visible and usable once again has been a key milestone on our road to recovery, and further improvements will continue to be made in the weeks and months to come.”

Full restoration of the library’s services could take until the end of the year, according to library officials.

Rhysida Attacks HSE, Slovenia’s Largest Power Generation Company, Operator of Hydroelectric, Thermal and Solar Plants, Coal Mines and Subsidiaries in Italy, Hungary, and Serbia

On November 22, 2023, the Rhysida Ransomware Gang hit a very serious target – the largest power generation company in Slovenia, the Holding Slovenske Elektarne – HSE (Figure 3). The company is owned by the government of Slovenia and accounts for 60% of the country’s domestic production. The firm also operates several hydroelectric, thermal, and solar power plants, as well as coal mines across Slovenia, and has subsidiaries in Italy, Hungary, and Serbia.

The Rhysida threat actors compromised HSE’s IT systems and encrypted various files, however, company executives reported that the attack did not disrupt their electric production saying, “IT systems and files were "locked" by the "crypto virus,” said Uroš Svete, HSE’s Director of Information Security. “All power generation operations remained unaffected by the large scale cyberattack, the impairment is limited to the websites of Šoštanj Thermal Power Plants and the Velenje Coal Mine.”

Although HSE officials reported that only the “websites of their Šoštanj Thermal Power Plants and the Velenje Coal Mine” were affected by the attack, the Rhysida threat actors tell a different story. On Rhysida’s data leak site, the Rhysida criminals posted samples of what appears to be HSE contracts, invoices, legal documents, and other financial data.

TRU assesses with high confidence that these documents are authentic and belong to HSE. Also, from the sample files Rhysida posted to their leak site, one has to wonder what other information was accessed and how sensitive is that information (Figure 4).

HSE reached out to the National Office for Cyber Incidents at Si-CERT and the Ljubljana Police Administration and brought in cybersecurity experts to mitigate the attack and prevent the virus from spreading across all their systems in Slovenia.

Svete issued a joint statement with the General Manager of HSE, assuring the public that the situation was under control and that no operational disruption or significant economic damage was expected due to this incident.

Rhysida Compromises London’s King Edward VII’s Hospital and Threatens to Release Data about the Royal Family

In late November 2023, the Rhysida ransomware operators announced on their data leak site that they had compromised London’s King Edward VII’s Hospital. The threat actors claimed to have stolen sensitive information about the hospital’s employees and their patients. They also claimed that some of the stolen data pertains to members of Britain’s royal family (Figure 5).

King Edward VII’s Hospital is where Elizabeth II, Britain’s late Queen, and her late husband, Prince Philip, were treated over the years for a variety of health issues. In 2018, Prince Philip underwent hip replacement surgery and was treated for a pre-existing condition in 2019.

Meanwhile, Queen Elizabeth II had knee surgery at the hospital in 2003 and was treated for gastroenteritis in 2013. Princess Kate Middleton was also treated at the hospital in 2012 for morning sickness and in July 2023, Sarah Ferguson, the Dutchess of York, underwent surgery for breast cancer, according to news sources.

The Rhysida threat actors put the stolen data up for auction the first few days of December, promising to sell it to one buyer only. They asked for payment in Bitcoin, equaling approximately £300,000 and they threatened if the cache of information was not purchased by December 5, they would make the data publicly available.

The National Cyber Security Centre (NCSC), which is part of Britain’s Government Communications Headquarters (GCHQ), was brought in to help investigate the attack. GCHQ is one of three UK Intelligence and Security Agencies. An NCSC spokesman was quoted as saying: “We are working with King Edward VII Hospital to fully understand the impact of an incident.”

A hospital spokesman stated following the incident: “We recently experienced an IT security incident involving temporary, unauthorised access to our systems. We took immediate steps to mitigate the incident’s impact and continued to offer patient care and services, largely as normal.”

He added: “We also launched a comprehensive investigation, which confirmed that a small amount of data was copied from part of our IT system. While this was primarily benign hospital systems data, a limited amount of patient information was copied, and we are notifying a small subset of our patient database about this. The vast majority of patients are not affected by this in any way, and we offer our apologies for any concern this incident may cause.”

Patients who were affected by the attack are being offered free identity and credit monitoring to help keep them safe from potentially fraudulent activity, according to one of London’s national news outlets, The Telegraph.

The Rhysida threat actors posted images, on their leak site, of the purported documents stolen from the hospital. These included pictures of medical reports, patient admittance forms, physician correspondence, x-rays, and pathology reports (Figure 6).

Although TRU has not identified any health data that appears to pertain to the royal family in the leaked images on Rhysida’s leak site, there is data relating to other patients, as well as doctors, and supporting medical staff.

A former British military intelligence colonel, Philip Ingram, commented: “Given the highly sensitive nature of the patients, there will be a degree of pressure on the hospital to try to stop any of this data being released. Therefore, I would expect them to explore the possibility of paying the ransom.”

Interestingly, after initially announcing the attack, King Edward VII’s Hospital does not appear to have provided any further details or updates about the attack to the press or the wider public.

Not long after Rhysida attacked King Edward VII’s hospital, the threat actors went after the Abdali Hospital, a 200-bed medical facility in Amman, Jordan in mid-December. Abdali is a multi-specialty hospital, employing medical specialists in orthopedics and rheumatology, gynecology, urology and endocrinology, neurology, nephrology, pulmonology, internal medicine, oncology, infectious disease, and anesthesiology.

To prove that they had compromised the facility, the Rhysida threat actors posted images of ID cards, contracts, etc. on their leak site, and stated that they had a trove of sensitive data they were auctioning off for 10 Bitcoin. (Figure 7)

Although the public has not been made privy to the true extent of the damage from the attacks against King Edward VII’s Hospital and the Abdali Hospital, the Rhysida criminals have certainly exhibited how ruthless the group can be when it comes to their attacks against healthcare organisations.

Rhysida Shows No Mercy in its Attack Against a Healthcare Company’s 16 Hospitals and 166 Clinics and Centers

In August 2023, prior to attacking the British Library, Rhysida assaulted Prospect Medical Holdings (PMH). PMH is a U.S. healthcare corporation operating 16 hospitals in four different states and a network of 166 outpatient clinics and centers.

During the attack against PMH’s hospitals, clinics, and centers, the Rhysida threat actors tore through the healthcare company’s IT environment, causing such concern that the company took down their computer networks, forcing the doctors, nurses and other hospital staff to revert to using paper charts and pens when caring for the patients.

The Rhysida gang said on their Dark Web leak site that they stole 1 TB of documents and 1.3 TB of databases from PMH. The documents were said to contain corporate documents, patient records and the Social Security Numbers of 500,000 individuals. The attack is believed to have occurred on August 3, with employees finding ransom notes on their screens stating that their network was hacked, and devices encrypted.

The ransomware group said it would sell Prospect Medical’s stolen data for 50 Bitcoins, equaling approximately $1.5 million. Almost three months later, after numerous destructive attacks, the FBI and CISA put out an alert warning critical infrastructure organisations and others about the group and provided a rundown of the group’s Techniques, Tactics and Procedures (TTPs) so companies and public entities can better protect themselves.

Rhysida Attacks a Global Religious Organisation in Switzerland

Unfortunately, the Rhysida threat actors did not slow down for the Christmas holidays. On December 26, Rhysida claimed to have compromised a new victim – The World Council of Churches (WCC), a worldwide Christian inter-church organization based out of Switzerland, representing a half a billion people worldwide, according to the organisation.

Two days later on December 28, the WCC publicly reported, via their website, that they had suffered a ransomware attack stating: “The World Council of Churches (WCC) communications systems have been hacked by a ransomware group. In an initial contact on 26 December, the group hacked the WCC systems and asked for payment. The group also threatened to share material worldwide and compromise all the systems.”

Although WCC did not name the criminal group that attacked them, the Rhysida threat actors came out on January 5 stating that they had attacked the Lutheran World Federation, one of WCC’s member organisations.

According to security researchers, the Lutheran World Federation confirmed they had suffered a ransomware attack, and that it was connected to the WCC attack.

Rhysida Goes after the Education Sector, Attacking a London High School, a U.K. Vocational Training School and Two Top Universities

Another victim listed on Rhysida’s leak site in the last two months was a popular high school in London. To prove that the criminals had breached the school’s IT network, the Rhysida threat actors posted sample copies of school employee driver’s licenses, student names, parent names, and phone numbers for numerous parents.

Following the London high school attack, the Rhysida gang went after an award-winning, educational institution in the U.K which specializes in training students for careers in Dentistry, Care (Child, Adult and Social), and Education. They offer nationally recognised vocational qualification programmes, apprenticeships, mentoring and preparation for employment across England and Wales. The Rhysida criminals followed their usual Modus Operandi (MO) and posted to their leak site, samples of employees’ driver licenses and passports.

The Rhysida Ransomware Gang continued its campaign against the education sector, attacking two large and prominent universities in December 2023, Kaunas University of Technology in Lithuania and Tshwane University of Technology in South Africa. Both universities are highly respected and offer undergraduate degrees, as well as post-graduate degrees in science, technology/engineering, and business, and are known for their exceptional sciences and technology departments.

When Rhysida attacked these institutions, the criminals followed their usual MO, posting to their leak site what the threat actors claimed were faculty members’ passports, driver’s licenses, and other university documents.

Rhysida Zeroes in on a Second Target in the Middle East

In December, the Rhysida Group also focused on targets in the Middle East. In addition to attacking the Abduli Hospital in Jordan, they claimed to have compromised a prominent Sports Club in Qatar. As proof, the threat actors posted the National ID cards for many of the club members. The Qatar National Identity card is issued by the government to its citizens, residents, and foreign workers.

The card contains the individuals’ name, photo, date of birth, nationality, and Qatar ID number. A Qatar ID serves as proof of identity, residency, and is required to open a bank account, obtain a driver’s license, and access many government services.

“It is very apparent that when the Rhysida threat actors break into an organisation, they know exactly what information to go after,” said Keegan Keplinger, Sr. Threat Researcher with eSentire’s security research team, the Threat Response Unit (TRU). “They target some of the most valuable, sensitive data a company or public entity can possess. This is evident by the passports and other documents containing personal identifiable information (PII) that they steal,” continued Keplinger.

The Value of One’s Personal Identifiable Information (PII)—Cha-Ching!

“Even if the victim organisation refuses to pay the Rhysida threat actors their ransom demand, the cybercriminals can easily sell this PII on the underground,” said Keplinger. “Passports, driver’s licenses, and National Identity Cards are particularly valuable. With this type of data, a criminal can commit identity theft and depending on the victim’s credit, they can apply for high-limit credit cards, open bank accounts, apply for bank loans, purchase expensive cars, etc.”

Criminals who specialize in buying and selling Personal Identifiable Information (PII) and ‘Fullz’, the slang term for Full Identity Packets, would be particularly interested in this type of data. Fullz typically include a person’s name, DOB, a National Insurance number (NI) or Social Security Number (for the U.S.), an address, email address, and driver’s license number.

The Fullz packets TRU saw advertised on the underground hacker markets for individuals living in the UK, typically come with a credit card, in addition to the PII listed above. These UK Fullz + credit card packets are currently being offered for USD $40 each. TRU saw passport scans for UK and U.S. individuals being sold from between USD $35 and USD $50.

Rhysida’s Tactics, Techniques and Procedures (TTPs)

In November 2023, after numerous destructive attacks, including ones against U.S. government agencies, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) put out an alert warning critical infrastructure organisations and other entities about Rhysida and provided a rundown of the group’s TTPs so companies and public organisations could better protect themselves.

The Rhysida Ransomware Group uses process injection, defense evasion, credential access, discovery, lateral movement, command and control, and impact. They also employ various commands and software during their attacks, including PowerShell, wevtutil.exe, secretsdump, cmd.exe, ipconfig, net group, whoami, net localgroup, net user, nltest, RDP, PuTTy, AnyDesk, and a 4096-bit RSA encryption key, implementing a ChaCha20 algorithm. For more of Rhysida’s TTPs, see the CISA security Advisory.

Security Protections for Preventing Ransomware Attacks and Mitigating Potential Damage

Prospect Medical, the British Museum, and other incidents are prime examples of how companies and public entities must be prepared for a ransomware attack. Therefore, eSentire's Threat Response Unit (TRU) recommends the following security steps:

• Have a backup copy of all critical files and make sure they are offline backups. Backups connected to the infected systems will be useless in the event of a ransomware attack.
• Require multi-factor authentication to access your organisation’s virtual private network (VPN) or remote desktop protocol (RDP) services.
• Only allow administrators to access network appliances using a VPN service.
• Domain controllers are a key target for ransomware actors, so ensure that your security team has visibility into your IT networks using endpoint detection and response (EDR) agents and centralized logging on domain controllers (DCs) and other servers.
• Employ the principle of least privilege with staff members.
• Implement network segmentation.
• Disable RDP if not being used.
• Regularly patch systems, prioritizing your key IT systems.
• User-awareness training should be mandated for all company employees and focus on:
  • Downloading and executing files from unverified sources
  • Avoiding free versions of paid software
  • Inspecting the full URL before downloading files to ensure it matches the source (e.g., Microsoft Teams should come from a Microsoft domain)
  • Always inspect file extensions. Do not trust the filetype logo alone. An executable file can be disguised as a PDF or office document.
  • Ensure 24/7 security monitoring and threat response across your environment

If you are not currently engaged with a Managed Detection and Response (MDR) provider, we highly recommend you partner with us for security services to disrupt threats before they impact your business. To learn more, connect with an eSentire Security Specialist.

Comments from Keegan Keplinger, Sr. Threat Researcher with eSentire’s security research team, the Threat Response Unit (TRU)

“Successful exploitation of the 2020 vulnerability, Zerologon - which affects typical corporate Windows networks - demonstrates a tendency for organisations to neglect 'internal vulnerabilities'. These vulnerabilities may not lead to initial access through remote exploitation, but they can turn a commodity malware infection into a hands-on intrusion through privilege escalation, even when accounts with few permissions are the initial source of the infection.”

“Rhysida affiliates have shown a tendency to rely on valid VPN and RDP credentials for initial access and legitimate admin tools like RDP and AnyDesk for lateral movement. That means that prior to ransomware deployment, the affiliates don't use any identifiable malware strains, lowering chances of detection and attribution. Security researchers have drawn parallels between Rhysida’s TTPs and Vice Society’s TTPs.”

“Rhysida often targets an organisation’s HR department to exfiltrate personally identifiable information from employees, including driver’s licenses, passports, and other forms of identification. From there, the data is first leveraged to apply pressure on the company, then sold or published.”

“Interestingly, parts of Rhysida’s website appeared broken. The weblinks to the document leaks portion of Rhysida’s website did not lead anywhere, but their countdown auctions were fully functioning. It is not clear whether this is a matter of incompetence, or they are only pretending to publish the data so that they can sell it at a higher premium. If not shared with anyone else, the data would have a higher value, as it could facilitate identity theft and financial fraud.”