Rhysida Ransomware Hits Engedi: $94K Bitcoin Ransom Demanded

Incident Date:

August 22, 2024

World map

Overview

Title

Rhysida Ransomware Hits Engedi: $94K Bitcoin Ransom Demanded

Victim

Engedi

Attacker

Rhysida

Location

Beaconsfield, Australia

, Australia

First Reported

August 22, 2024

Rhysida Ransomware Group Targets Engedi: A Detailed Analysis

Engedi, a not-for-profit organization based in Mackay, Queensland, has become the latest victim of a ransomware attack by the Rhysida group. The attack was publicly disclosed on August 22, when Rhysida listed Engedi on their darknet leak site, claiming to have exfiltrated sensitive data and threatening to publish it unless a ransom of 10 bitcoin (approximately $94,000 AUD) is paid.

About Engedi

Established in 1985, Engedi is dedicated to providing support services for individuals with disabilities. The organization offers a range of services, including group skills programs, therapy support, NDIS plan management, and individual support. Engedi employs between 11 to 20 individuals, allowing for a personalized approach to service delivery. The organization is recognized for its commitment to enhancing the quality of life for its clients and has become a standout in the community due to its long-standing presence and significant contributions to disability support services.

Attack Overview

The Rhysida ransomware group claims to have exfiltrated sensitive data from Engedi’s network, including passport scans, identity documents, an account application, and a credit card scan. A low-resolution photomontage shared on their dark web portal includes at least one document linked to an Engedi staff member. The group has given Engedi 6–7 days to pay the ransom before the data is published.

About Rhysida Ransomware Group

Rhysida is a relatively new player in the cybercrime arena, first sighted in May 2023. The group primarily targets sectors such as healthcare, education, manufacturing, information technology, and government. Rhysida ransomware is written in C++ and targets the Windows Operating System. The group employs a double extortion technique, stealing data before encrypting it and threatening to publish it unless a ransom is paid. Rhysida uses the ChaCha20 encryption algorithm and generates ransom notes as PDF documents named “CriticalBreachDetected.pdf.”

Penetration and Vulnerabilities

Rhysida typically leverages phishing campaigns to deploy their ransomware. They rely on valid credentials and establish network connections through VPN for initial access. Upon infiltrating a victim's network, the group uses net commands and tools like Advance IP/Port Scanner to gather critical information about domains. They also leverage Sysinternals tools like PsExec for lateral movement. Engedi’s vulnerabilities likely stem from the common challenges faced by small to medium-sized organizations, such as limited cybersecurity resources and potential gaps in employee training on phishing threats.

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.