A recent ransomware attack on the British Library, where personal data was stolen and has appeared online for sale, has revealed a new ransomware gang to be aware of. Its name is Rhysida. 

Here’s more about who they are and how they operate. 

Who is Rhysida?

According to Secureworks, Rhysida emerged from a criminal operation established in 2021 called Gold Victor, which operated a ransomware scheme called Vice Society. The attack on the British Library is one of several high-profile ones under its new name. It’s likely that the group is based in Russia, Belarus or Kazakhstan as it follows the patterns of similar operatives from this region. 

How does the attack work?

The gang behind Rhysidia also offer the ransomware as a service (RaaS), and criminals using it employ several techniques to infiltrate their victims’ systems. These include using organisations’ virtual private networks or using phishing techniques to get employees of the target company to reveal confidential information such as passwords etc.

In the case of the British Library, the group used a double extortion technique. In addition to demanding a ransom, they also posted low-resolution images of personal information gathered in the attack online, offering the stolen data for sale on its leak site for around 20 bitcoin.

Which types of companies are vulnerable?

US government agencies recently released a warning note on this ransomware stating that it “has predominantly been deployed against the education, healthcare, manufacturing, information technology, and government sectors since May 2023.” However, given the ransomware is being sold to other gangs, it likely won’t be limited to these sectors. To date, in addition to the British Library attack, Rhysida has also affected government institutions in Portugal, Chile and Kuwait. 

How to protect yourself against an attack

There are a few steps you can take to mitigate this type of attack, according to the US government agencies’ cybersecurity advisory. Firstly, prioritise fixing known exploited vulnerabilities. Secondly, enable multi-factor authentication for all services where possible (including VPNs), and finally segment networks to prevent the spread of ransomware.