Ransomware Attack on Olympus Financial by Rhysida Group

Olympus Financial, a prominent mortgage broker based in Miami, Florida, has recently fallen victim to a ransomware attack orchestrated by the Rhysida group. The attack, which occurred in June, has compromised sensitive information, including names, Social Security numbers, banking details, contact information, addresses, and dates of birth.

About Olympus Financial

Olympus Financial operates primarily in the realm of financial services, offering a variety of solutions tailored to meet the needs of both individual and business clients. Their offerings include financing for medical and industrial equipment, as well as personal and business loans. The company is known for its flexibility in financing solutions, which can be customized to support the specific financial objectives of healthcare providers and businesses alike. Their nationwide team of financing professionals is dedicated to structuring solutions that assist clients in managing the lifecycle of their technology assets effectively.

Attack Overview

The Rhysida ransomware group has demanded a ransom of 10 BTC, approximately $595,000, threatening to publish the organization's data within 6–7 days if their demands are not met. Rhysida has already provided sample screenshots of the compromised data on their dark web portal. Olympus Financial notified victims of the data breach on July 31. The breach affected files stored in the company’s on-site database, while client information in an off-site database remained secure. The number of individuals impacted by the breach has not been disclosed, and there has been no mention of offering free credit monitoring or identity theft protection to those affected. The ransom deadline is set for August 28.

About Rhysida Ransomware Group

The Rhysida Ransomware Group is a new player in the cybercrime arena, first sighted in May 2023. This group primarily targets sectors such as education, healthcare, manufacturing, information technology, and government. Rhysida ransomware is written in C++ and specifically targets the Windows Operating System. The group employs a double extortion technique, stealing data from victim networks before encrypting it and threatening to publish it on the dark web unless a ransom is paid. Rhysida has shown an unpredictable pattern of activity, with a surge in attacks in November 2023, securing a position in the Top 10 ransomware groups by victims in the months of June and July.

Penetration and Vulnerabilities

Rhysida primarily relies on leveraging valid credentials and establishing network connections through VPN for initial access. Upon infiltrating a victim's network, the group employs net commands and leverages tools like Advance IP/Port Scanner to enumerate victim environments and gather critical information about domains. Rhysida leverages Sysinternals tools like PsExec to deploy ransomware on target systems for lateral movement. The breach at Olympus Financial highlights the vulnerabilities in their on-site database security, which was compromised while their off-site database remained secure.

Sources

• Olympus Financial
• SOCRadar - Rhysida Ransomware
• Logpoint - Uncovering Rhysida
• Cyfirma - Weekly Intelligence Report
• Fortinet - Investigating Rhysida