Share this article on:
A second ransomware gang claims to have accessed the network of Melbourne IT firm Core Desktop.
Core Desktop is the third-party supplier involved in last week’s TissuPath hack, which saw diagnostic and patient records posted on the dark web leak site of notorious ransomware gang LockBit. Real estate agent Barry Plant's Blackburn branch and strata provider Strata Plan were also impacted by the data breach.
However, this time, the relatively new ransomware gang Rhysida is the culprit, having posted a selection of scanned passport and credit card images (including card backs) to its own leak site by way of proof-of-hack.
“With just seven days on the clock, seize the opportunity to bid on exclusive, unique, and impressive data,” Rhysida’s said on its leak site. “Open your wallets and be ready to buy exclusive data. We sell only to one hand, you will be the only owner.”
The current asking price is five Bitcoin, which as of writing equates to a shade over $200,000. Rhysida has not published the size of the data leak. The ransomware gang has said it will publish the data within four days, presumably if the victim has not paid a ransom nor a buyer comes forward.
After last week’s breach, Core Desktop sent a letter to its clients informing them of the incident.
“Our cyber forensic team do not have a firm understanding of the origins of the entry, but initial suggestions are that it was from a targeted client-side phishing attack which infiltrated our control systems, impersonated privileged accounts and encrypted some servers,” the letter said, as reported by the ABC.
“They appear to have acted in a focused fashion and threatened a small number of Core Desktop clients.”
Core Desktop’s managing director, Rod Bloom, also told the ABC: “We’re not really aware of what information has been compromised – it’s not our data, so we don’t know.”
Cyber Security Connect spoke to Bloom about this second incident, but he declined to comment.
Rhysida is a relative newcomer to ransomware activity. The group was first noted in May 2023, and its techniques, tactics, and procedures suggest a group still finding its feet. Some of the functionality of its ransomware seems currently inoperative.
The group has been seen to engage in extortion of its victims and has posted the data of 42 victims so far, including 186 gigabytes of data exfiltrated from Australian healthcare company Optimum Health Solutions in August.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.