Rhysida attacks General Directorate of Migration of the Dominican-Republic

Incident Date:

October 4, 2023

World map



Rhysida attacks General Directorate of Migration of the Dominican-Republic


General Directorate of Migration of the Dominican-Republic




Santa Domingo, Dominican Republic

Greater Santa Domingo, Dominican Republic

First Reported

October 4, 2023

Rhysida Ransomware Gang Attacks the General Directorate of Migration of the Dominican Republic

The Rhysida ransomware gang has attacked the General Directorate of Migration of the Dominican-Republic. The General Directorate of Migration (Dirección General de Migración or DGM) in the Dominican Republic is the government agency responsible for overseeing immigration and migration-related matters within the country. It plays a crucial role in regulating the entry and exit of foreign nationals, enforcing immigration laws, and ensuring the orderly movement of people in and out of the Dominican Republic.

Rhysida posted the General Directorate of Migration of the Dominican-Republic to its data leak site on October 4th but provided no further details.

The Emergence of Rhysida Ransomware Group

The Rhysida ransomware group emerged in May 2023 and introduced a victim support chat portal on the TOR network. They present themselves as a "cybersecurity team" and claim to be helping their victims by targeting their systems and exposing potential security issues.

Rhysida deploys its ransomware through various methods, including Cobalt Strike or similar frameworks, as well as phishing campaigns. Analysis of Rhysida ransomware samples suggests that the group is still in the early stages of development. The ransomware lacks certain standard features in contemporary ransomware, such as VSS removal. However, the group follows the practices of modern multi-extortion groups by threatening to distribute the stolen data publicly.

Attack Methodology and Victim Communication

Upon execution, Rhysida displays a cmd.exe window and scans all files on local drives. Victims are instructed to contact the attackers using the TOR-based portal and their unique identifier provided in the ransom notes. The group only accepts payment in Bitcoin (BTC) and provides victims with instructions on purchasing and using BTC through the victim portal.

Victims are also given an additional form on the payment portal to provide authentication and contact details to the attackers. The Rhysida ransom notes are written as PDF documents and placed in the affected folders on the targeted drives.

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.