Rhysida Ransomware Gang Targets ICC Corporation
Infamous Rhysida gang announced another ransomware breach, this time against a US-based corporation. This is a fiber-optic service provider that delivers services to both residential and commercial clients. The severity of the ransomware operation is unknown.
- Rhysida first appeared in 2023 and has become one of the fastest-growing organizations in the world
- Rhysida operates as a ransomware-as-a-service (RaaS), relying on affiliates to conduct their business
- The profits are split between the main operators and the affiliates based on their participation and contribution
- Several law enforcement agencies (CISA, FBI, MS-ISAC) have warned about the gang’s potential in November 2023
Rhysida is among the few ransomware actors that begun their ‘career’ in full force. Most ransomware gangs start off slow, targeting either individuals or low-case institutions. Not Rhysida. The gang started targeting whales from the get-go.
In the same year, Rhysida breached the British Library, the California-based Insomniac Games, and even the Chilean Army. The hackers generally demand exorbitant ransoms to restore the system and delete the stolen data.
It’s unclear, at this moment, how many of the victims have paid the ransoms.
The gang got its name after a genus of centipedes, which is quite telling of their overall strategy. The group is proficient at covering its tracks and infiltrating unsuspecting victims, often unnoticed.
They also manage to breach well-defended targets with relative ease, which suggests the use of advanced tools. There is little information on Rhysida’s internal structure, members, or funding, other than what transpires at a first glance.
While Rhysida appears to be a newly-formed group, its MO and activity doesn’t match to that.
What Can We Tell About Rhysida?
Rhysida appears to fit the description of a cybercriminal side project. Many high-profile ransomware gangs rebrand themselves and redistribute their resources under different names. They do so when targeted by law enforcement agencies to erase their tracks.
Others dissolve completely and take on entirely new identities with similar assets, but often different MOs and a different image. This explains why newcoming gangs appear to be so reactive, aggressive, and competent from day one.
However, while Rhysida shows all the signs of a smurf-gang, nothing has been confirmed yet. Until proven otherwise, this is a legitimate entity with original code and structure.
The organization relies on the tried-and-tested multi-extortion practice. The hackers breach the victim’s system, encrypt the files, and exfiltrate the wanted data. They will then demand a ransom to restore the encrypted files and delete the stolen data.
Some pay, others do not. The main takeaway is that both of these actions typically have the same outcome. As experts show, most high-profile ransomware gangs will deliver the decryption key upon paying the ransom.
But the same can’t be said about the stolen data. While the operators will give guarantees that they will delete it, there’s no way for the victim to verify that. Which is why, in many cases, the hackers will keep the data for themselves.
This is the main reason why cybersecurity experts advise against paying the ransom, as it does nothing but fuel cybercriminal gangs.
Our Mission
We believe security online security matters and its our mission to make it a safer place.
