Rhysida ransomware gang is auctioning data stolen from the British Library

Pierluigi Paganini November 20, 2023

The Rhysida ransomware group claimed responsibility for the recent cyberattack on the British Library that has caused a major IT outage.

The Rhysida ransomware gang added the British Library to the list of victims on its Tor leak site. The British Library is a research library in London that is the national library of the United Kingdom. It is one of the largest libraries in the world.

The ransomware group claims to have stolen a substantial trove of ‘impressive data’ and is auctioning it for 20 BTC. The Rhysida ransomware operators plan to sell the stolen data to a single buyer. The gang will publicly release the data over the seven days following the announcement.

British Library

The attack took place on October 28, the outage affected some on-site services, including the public Wi-Fi.

The library announced that its buildings remain fully open and the following services are available onsite:

  • Reading Rooms (for personal study)
  • any collection items ordered on or before 26 October
  • very limited, manual collection item ordering in London via our printed catalogues, for items stored in St Pancras only.

On November 17, the library announced it was experiencing a major technology outage caused by a cyber-attack.

Three hours ago the British Library said that it is continuing to experience a major technology outage that is impacting its website, online systems and services, and some on-site services.

The library plans to partially restore many services in the next few weeks, but it believes that some disruption may persist for longer.

The library notified law enforcement agencies and is investigating the security breach with the help of cybersecurity experts.

“Following confirmation last week that this was a ransomware attack, we’re aware that some data has been leaked. This appears to be from our internal HR files. We have no evidence that data of our users has been compromised. However, if you have a British Library login and your password is used elsewhere, we recommend changing it as a precautionary measure.” reads the announcement. “The National Cyber Security Centre provides guidance on staying secure online, including how to create a strong password: https://bit.ly/BLNCSC In the meantime, we’ve taken targeted protective measures to ensure the integrity of our systems, and we’re continuing to investigate the attack with the support of NCSC, the Metropolitan Police and cybersecurity specialists. Thank you for bearing with us during this investigation. We’ll update you as soon as we can.”

According to the British Library, the leaked data appears to be from its HR department.

Last week, FBI and CISA published a joint Cybersecurity Advisory (CSA) to warn of Rhysida ransomware attacks against organizations across multiple industry sectors. The report is part of the ongoing #StopRansomware effort that disseminates advisories about tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with ransomware groups.

The report includes IOCs and TTPs identified through investigations as recently as September 2023.

The Rhysida ransomware group has been active since May 2023, according to the gang’s Tor leak site, at least 62 companies are victims of the operation.

The ransomware gang hit organizations in multiple industries, including the education, healthcare, manufacturing, information technology, and government sectors. The victims of the group are “targets of opportunity.”

“Threat actors leveraging Rhysida ransomware are known to impact “targets of opportunity,” including victims in the education, healthcare, manufacturing, information technology, and government sectors. Open source reporting details similarities between Vice Society (DEV-0832)[1] activity and the actors observed deploying Rhysida ransomware.” reads the joint advisory. “Additionally, open source reporting[2] has confirmed observed instances of Rhysida actors operating in a ransomware-as-a-service (RaaS) capacity, where ransomware tools and infrastructure are leased out in a profit-sharing model. Any ransoms paid are then split between the group and the affiliates.”

Rhysida actors have been observed leveraging external-facing remote services (e.g. VPNs, RDPs) to gain initial access to the target network and maintain persistence. The group relied on compromised credentials to authenticate to internal VPN access points. According to the advisory, the threat actors have been observed exploiting Zerologon (CVE-2020-1472) in Microsoft’s Netlogon Remote Protocol in phishing attempts.

The group relies on living off-the-land techniques such as native (built into the operating system) network administration tools to perform malicious operations.

On October 28 another library, the Toronto Library announced they were addressing a cyber security incident.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Rhysida ransomware)



you might also like

leave a comment