Share this article on:
The ransomware gang posted sample documents and demanded an $85,000 ransom to prevent publication.
The Rhysida ransomware gang kicked off September by listing Australian backpack maker White Mountain Backpacks.
The gang posted details of the alleged hack on 1 September and set a ransom deadline of 7 September.
The cyber criminals are demanding a ransom of 10 bitcoins, which is worth approximately $85,000 at the time of writing.
“With just 7 days on the clock, seize the opportunity to bid on exclusive, unique, and impressive data,” Rhysida’s boilerplate post said.
“Open your wallets and be ready to buy exclusive data. We sell only to one hand, no reselling, you will be the only owner!”
Rhysida generally doesn’t care who buys its data – the victim, or another dark web denizen.
The gang also copied a description of White Mountain Backpacks from the company’s own website.
“Our personal experience comes from the partners’ combined 70 years of recreational and military backpack usage, 15 years of wholesaling backpacks within Australia, and 36 years of retailing and manufacturing design,” it said.
Rhysida also shared images of 20 documents allegedly stolen in the attack as proof of a successful hack. The images are very low resolution and highly pixelated, so it’s difficult to make out, but there appears to be at least one trust account statement, scans of several receipts and other signed documents, and screenshots of several spreadsheets.
The gang did not list the amount of data it claimed to have stolen, just the sample images.
Neither the White Mountain Backpacks’ name nor logo can be made out in any of the images, and White Mountain Backpacks has not replied to Cyber Daily’s request for comment.
The most recent Australian company to be listed on Rhysida’s dark web leak site was Queensland-based registered NDIS provider Engedi, which was on 22 August. The gang claimed 14 victims in August, including The Washington Times and the Sumter County Sheriff’s Office in the United States.
Rhysida – which takes its name from the genus of centipedes – has claimed 139 recorded attacks since its inception, with the vast majority of those in the US.
Rik Ferguson, Vice President of Security Intelligence at Forescout, had some intelligence to share on the gang and its operations.
“Probably the most remarkable thing about Rhysida is that it looks to be a young ransomware strain operating in a Ransomware as a Service (RaaS) model, where various affiliates make use of the ransomware for attacks and the profit is divided between the affiliates and the malware authors," Ferguson told Cyber Daily.
"The attacks appear to be relatively manual and human-driven rather than widely automated, making use of stolen credentials, phishing and the exploitation of relatively old vulnerabilities. The attackers evade detection once inside a victim’s organisation by ‘living off the land’ using legitimate tools such as RDP, VPN connections, PSExec, and PowerShell. We fully expect the Rhysida ransomware to continue adding capabilities over the months to come.”
UPDATED 03/09/24 to add comment from Rik Ferguson.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.