Rhysida Ransomware Hits Seattle's White Center Community Development Association
Incident Date:
August 13, 2024
Overview
Title
Rhysida Ransomware Hits Seattle's White Center Community Development Association
Victim
The White Center Community Development Association
Attacker
Rhysida
Location
First Reported
August 13, 2024
Rhysida Ransomware Group Targets The White Center Community Development Association
The White Center Community Development Association (WCCDA), a nonprofit organization dedicated to community development and economic empowerment in Seattle, Washington, has fallen victim to a ransomware attack by the Rhysida ransomware group. The attack was discovered on August 14, 2024, and Rhysida has threatened to publish the organization's data within 6-7 days, already providing sample screenshots on their Dark Web portal.
About The White Center Community Development Association
Established in 2002, the WCCDA is a nonprofit organization focused on revitalizing the North Highline area of Washington. The organization operates under the 501(c)(3) tax-exempt status and engages in various initiatives aimed at addressing the needs and interests of the local community. These initiatives include economic development, family support, and community building. The WCCDA is known for its grassroots approach to community development, focusing on inclusivity, cultural celebration, and collaboration with residents.
One of the standout aspects of WCCDA's work is its focus on anti-displacement efforts, advocating for policies and programs that protect residents from being pushed out of their homes due to rising costs or development pressures. The organization has also been successful in securing funding to support its initiatives, such as a $200,000 grant from Bank of America.
Attack Overview
The Rhysida ransomware group has claimed responsibility for the attack on WCCDA. The group's dark web leak site has already posted sample screenshots of the stolen data, indicating the severity of the breach. The WCCDA's website, wccda.org, has been identified as part of the attack. The ransomware group has given the organization a 6-7 day window to comply with their demands before they publish the stolen data.
About Rhysida Ransomware Group
First sighted in May 2023, the Rhysida ransomware group has quickly made a name for itself in the cybercrime arena. The group primarily targets sectors such as education, healthcare, manufacturing, information technology, and government. Rhysida ransomware is written in C++ and specifically targets the Windows Operating System. The group employs a double extortion technique, stealing data before encrypting it and threatening to publish it unless a ransom is paid.
Rhysida's ransomware is deployed through various methods, including phishing campaigns. Once executed, the ransomware scans all files on local drives and encrypts them using the ChaCha20 encryption algorithm. The ransom notes are generated as PDF documents named “CriticalBreachDetected.pdf” and are saved within the affected folders. Victims are instructed to reach out to the attackers through a TOR-based portal, using a unique identifier provided in the ransom notes. Rhysida exclusively accepts Bitcoin payments.
Potential Vulnerabilities
The WCCDA, like many nonprofit organizations, may have vulnerabilities that make it an attractive target for ransomware groups. These could include limited cybersecurity resources, outdated software, and a lack of comprehensive security protocols. The organization's reliance on donations and grants for funding may also make it more susceptible to financial extortion.
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.