Rhysida attacks ORT Hermelin College of Engineering
Date:
September 25, 2023
Overview
Title
Rhysida attacks ORT Hermelin College of Engineering
Victim
ORT Hermelin College of Engineering
Attacker
Rhysida
Location
Size of Attack
Unknown/TBD
First Reported
September 25, 2023
Last Updated
October 31, 2022
The Rhysida ransomware gang has attacked the ORT Harmelin College of Engineering. ORT Hermelin College of Engineering is an academic institution located in Netanya, Israel. ORT is a global network of educational and vocational training organizations, and ORT Hermelin College of Engineering is one of its institutions. Rhysida posted the ORT Harmelin College of Engineering to its data leak site on September 25th, demanding a $26,000 ransom for the safe return of stolen data. Rhysida is a RaaS that was first observed on May 17, 2023, Rhysida has been observed deploying Cobalt Strike or similar command-and-control frameworks and abusing PSExec for lateral movement, dropping PowerShell scripts, and for payload delivery. They engage in data exfiltration for double extortion and maintain both a leaks site and a victim support portal on TOR. They are thought to be responsible for attacks against the Chilean military and more recently against Prospect Medical Holdings which impacted services at hundreds of clinics and hospitals across the US. Rhysida has been steadily increasing their attack volume and continuing to expand the targeted industries, but volume is modest compared to leaders. Rhysida appears to be opportunistic attackers with a similar victimology as Vice Society. IT remains unclear how much Rhysida operators typically demand for a ransom payment at this time. Rhysida appears to have a fairly advanced RaaS offering, with capabilities that include advanced evasion techniques that can bypass antivirus protection, the wiping of Volume Shadow Copies (VSS) to prevent rollback of the encryption, and the ability to modify Remote Desktop Protocol (RDP) configuration. Rhysida employs 4096-bit RSA key and AES-CTR for file encryption. Rhysida does not appear to be targeting Linux systems, maintaining a focus on Windows targets. TTPs are similar to those of Vice Society, which has been less active as Rhysida has emerged. Rhysida has been observed targeting the healthcare, education, government, manufacturing, and tech industries. Rhysida operators purport to be a “cybersecurity team” conducting unauthorized “penetration testing” to ostensibly “help” victim organizations identify potential security issues and secure their networks. The subsequent ransom demand is viewed as “payment” for their services.
This attack's description was not found, while we work on the detailed account of this attack we invite you to browse through other recent Rasomware Attacks in the table below.
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.