Rhysida attacks Malaysian Industrial Development Finance
Date:
April 7, 2024
Overview
Title
Rhysida attacks Malaysian Industrial Development Finance
Victim
Malaysian Industrial Development Finance
Attacker
Rhysida
Location
Size of Attack
Unknown/TBD
First Reported
April 7, 2024
Last Updated
October 31, 2022
The Rhysida ransomware group has allegedly attacked the Malaysian Industrial Development Finance (MIDF) organization. The gang posted a message with a countdown of just seven days and urged potential buyers to seize the opportunity to buy exclusive and sensitive data from the institution. MIDF Group is a wholly-owned subsidiary of Malaysia Building Society Berhad (MBSB). It is a financial services provider in three core business areas: investment banking, development finance, and asset management. Rhysida is a RaaS that was first observed in May of 2023 and has become one of the more prevalent threats in the latter half of 2023. Rhysida engages in data exfiltration for double extortion and maintains both a leak site and a victim support portal on TOR. They are thought to be responsible for attacks against the Chilean military and, more recently, against Prospect Medical Holdings, which impacted services at hundreds of clinics and hospitals across the US. In Q4-2023, the FBI and CISA released a joint advisory on Rhysida operations. Rhysida has been steadily increasing its attack volume and continuing to expand the targeted industries, but the volume is modest compared to that of its leaders. Rhysida deploys its ransomware through various methods, including Cobalt Strike or similar frameworks, as well as phishing campaigns. Analysis of Rhysida ransomware samples suggests that the group is still in the early stages of development. The ransomware lacks certain standard features, such as VSS removal, which are standard in contemporary ransomware. However, the group follows the practices of modern multi-extortion groups by threatening to distribute the stolen data publicly. Upon execution, Rhysida displays a cmd.exe window and scans all files on local drives. Victims are instructed to contact the attackers using the TOR-based portal and their unique identifier provided in the ransom notes. The group only accepts payment in Bitcoin (BTC) and provides victims with instructions on purchasing and using BTC through the victim portal. Victims are also given an additional form on the payment portal to provide authentication and contact details to the attackers. The Rhysida ransom notes are written as PDF documents and placed in the affected folders on the targeted drives.
This attack's description was not found, while we work on the detailed account of this attack we invite you to browse through other recent Rasomware Attacks in the table below.
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.