Rhysida Ransomware Group Targets The White Center Community Development Association

The White Center Community Development Association (WCCDA), a nonprofit organization dedicated to community development and economic empowerment in Seattle, Washington, has fallen victim to a ransomware attack by the Rhysida ransomware group. The attack was discovered on August 14, 2024, and Rhysida has threatened to publish the organization's data within 6-7 days, already providing sample screenshots on their Dark Web portal.

About The White Center Community Development Association

Established in 2002, the WCCDA is a nonprofit organization focused on revitalizing the North Highline area of Washington. The organization operates under the 501(c)(3) tax-exempt status and engages in various initiatives aimed at addressing the needs and interests of the local community. These initiatives include economic development, family support, and community building. The WCCDA is known for its grassroots approach to community development, focusing on inclusivity, cultural celebration, and collaboration with residents.

One of the standout aspects of WCCDA's work is its focus on anti-displacement efforts, advocating for policies and programs that protect residents from being pushed out of their homes due to rising costs or development pressures. The organization has also been successful in securing funding to support its initiatives, such as a $200,000 grant from Bank of America.

Attack Overview

The Rhysida ransomware group has claimed responsibility for the attack on WCCDA. The group's dark web leak site has already posted sample screenshots of the stolen data, indicating the severity of the breach. The WCCDA's website, wccda.org, has been identified as part of the attack. The ransomware group has given the organization a 6-7 day window to comply with their demands before they publish the stolen data.

About Rhysida Ransomware Group

First sighted in May 2023, the Rhysida ransomware group has quickly made a name for itself in the cybercrime arena. The group primarily targets sectors such as education, healthcare, manufacturing, information technology, and government. Rhysida ransomware is written in C++ and specifically targets the Windows Operating System. The group employs a double extortion technique, stealing data before encrypting it and threatening to publish it unless a ransom is paid.

Rhysida's ransomware is deployed through various methods, including phishing campaigns. Once executed, the ransomware scans all files on local drives and encrypts them using the ChaCha20 encryption algorithm. The ransom notes are generated as PDF documents named “CriticalBreachDetected.pdf” and are saved within the affected folders. Victims are instructed to reach out to the attackers through a TOR-based portal, using a unique identifier provided in the ransom notes. Rhysida exclusively accepts Bitcoin payments.

Potential Vulnerabilities

The WCCDA, like many nonprofit organizations, may have vulnerabilities that make it an attractive target for ransomware groups. These could include limited cybersecurity resources, outdated software, and a lack of comprehensive security protocols. The organization's reliance on donations and grants for funding may also make it more susceptible to financial extortion.

• White Center Now - White Center Community Development Association
• WCCDA Official Website
• SOCRadar - Threat Profile: Rhysida Ransomware
• Logpoint - Uncovering Rhysida and Their Activities
• Cyfirma - Weekly Intelligence Report