Rhysida Ransomware Hits Engedi: $94K Bitcoin Ransom Demanded
Incident Date:
August 22, 2024
Overview
Title
Rhysida Ransomware Hits Engedi: $94K Bitcoin Ransom Demanded
Victim
Engedi
Attacker
Rhysida
Location
First Reported
August 22, 2024
Rhysida Ransomware Group Targets Engedi: A Detailed Analysis
Engedi, a not-for-profit organization based in Mackay, Queensland, has become the latest victim of a ransomware attack by the Rhysida group. The attack was publicly disclosed on August 22, when Rhysida listed Engedi on their darknet leak site, claiming to have exfiltrated sensitive data and threatening to publish it unless a ransom of 10 bitcoin (approximately $94,000 AUD) is paid.
About Engedi
Established in 1985, Engedi is dedicated to providing support services for individuals with disabilities. The organization offers a range of services, including group skills programs, therapy support, NDIS plan management, and individual support. Engedi employs between 11 to 20 individuals, allowing for a personalized approach to service delivery. The organization is recognized for its commitment to enhancing the quality of life for its clients and has become a standout in the community due to its long-standing presence and significant contributions to disability support services.
Attack Overview
The Rhysida ransomware group claims to have exfiltrated sensitive data from Engedi’s network, including passport scans, identity documents, an account application, and a credit card scan. A low-resolution photomontage shared on their dark web portal includes at least one document linked to an Engedi staff member. The group has given Engedi 6–7 days to pay the ransom before the data is published.
About Rhysida Ransomware Group
Rhysida is a relatively new player in the cybercrime arena, first sighted in May 2023. The group primarily targets sectors such as healthcare, education, manufacturing, information technology, and government. Rhysida ransomware is written in C++ and targets the Windows Operating System. The group employs a double extortion technique, stealing data before encrypting it and threatening to publish it unless a ransom is paid. Rhysida uses the ChaCha20 encryption algorithm and generates ransom notes as PDF documents named “CriticalBreachDetected.pdf.”
Penetration and Vulnerabilities
Rhysida typically leverages phishing campaigns to deploy their ransomware. They rely on valid credentials and establish network connections through VPN for initial access. Upon infiltrating a victim's network, the group uses net commands and tools like Advance IP/Port Scanner to gather critical information about domains. They also leverage Sysinternals tools like PsExec for lateral movement. Engedi’s vulnerabilities likely stem from the common challenges faced by small to medium-sized organizations, such as limited cybersecurity resources and potential gaps in employee training on phishing threats.
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.