Queens County Public Administrator Hit by Rhysida Ransomware, Data Breach Confirmed

Incident Date:

July 20, 2024

World map

Overview

Title

Queens County Public Administrator Hit by Rhysida Ransomware, Data Breach Confirmed

Victim

Queens County Public Administrator

Attacker

Rhysida

Location

Jamaica, USA

New York, USA

First Reported

July 20, 2024

Ransomware Attack on Queens County Public Administrator

Overview of the Attack

The Queens County Public Administrator, a government agency responsible for managing the estates of deceased individuals in Queens County, New York, has been targeted by the Rhysida ransomware group. The attack was discovered on July 22, 2024, and has raised significant concerns about the security of sensitive information managed by the agency. The exact size of the data breach remains unknown, but the incident underscores the growing threat of ransomware attacks on public institutions.

About the Victim

The Queens County Public Administrator operates within the government sector, specifically tasked with administering the estates of deceased individuals who have no one else to manage their affairs. The office is located in Jamaica, New York, and employs between 11 to 50 individuals. This agency plays a crucial role in ensuring that estates are handled properly, particularly in cases where there are no designated executors or heirs willing or able to take on the responsibility. The office is essential for asset management, debt settlement, liquidation of assets, and distribution of remaining assets according to New York State law.

Vulnerabilities and Targeting

Public institutions like the Queens County Public Administrator are often targeted by ransomware groups due to their critical role in managing sensitive information and their reliance on legacy systems. The agency's responsibilities include handling financial accounts, real estate, and personal property, making it a lucrative target for cybercriminals. The limited size of the team and potential underfunding in cybersecurity measures may have contributed to the vulnerabilities exploited by the Rhysida ransomware group.

About the Rhysida Ransomware Group

The Rhysida Ransomware Group is a relatively new player in the cybercrime arena, first sighted in May 2023. The group primarily targets sectors such as education, healthcare, manufacturing, information technology, and government. Rhysida ransomware is written in C++ and targets the Windows Operating System. The group employs a double extortion technique, stealing data before encrypting it and threatening to publish it on the dark web unless a ransom is paid. Rhysida uses the ChaCha20 encryption algorithm and generates ransom notes as PDF documents named “CriticalBreachDetected.pdf.”

Penetration Methods

Rhysida typically leverages phishing campaigns to deploy their ransomware. Once executed, the ransomware scans all files on local drives and encrypts them. The group also relies on valid credentials and establishes network connections through VPN for initial access. Tools like Advance IP/Port Scanner and Sysinternals PsExec are used for lateral movement within the victim's network. The ransomware's encryption phase uses a 4096-bit RSA key with the ChaCha20 algorithm, making it highly secure and difficult to decrypt without paying the ransom.

Sources

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.