Rhysida Ransomware Hits The Washington Times, $300K Ransom Demanded
Incident Date:
August 14, 2024
Overview
Title
Rhysida Ransomware Hits The Washington Times, $300K Ransom Demanded
Victim
The Washington Times
Attacker
Rhysida
Location
First Reported
August 14, 2024
Rhysida Ransomware Group Targets The Washington Times in Major Cyberattack
The Washington Times, a prominent American conservative newspaper, has recently fallen victim to a ransomware attack orchestrated by the Rhysida group. The attack has resulted in the compromise of sensitive data, including Social Security Numbers and driving licenses, with the hackers demanding a ransom of 5 Bitcoin, approximately $300,000, by August 21st.
About The Washington Times
Founded in 1982 by Rev. Sun Myung Moon, The Washington Times is known for its conservative perspective on news and commentary, particularly in politics and culture. The newspaper aims to provide a counter-narrative to mainstream media, focusing on American values such as freedom, faith, and family. Operating under TWT Holdings, LLC, the company employs around 91 people and publishes five days a week in print, maintaining an active online presence.
Attack Overview
The Rhysida ransomware group has claimed responsibility for the attack via their dark web leak site. The cybercriminals have provided a sample of the compromised data to substantiate their claims. The attack has raised significant concerns about the security measures in place at The Washington Times, given the sensitive nature of the data involved.
About Rhysida Ransomware Group
First sighted in May 2023, the Rhysida ransomware group has quickly made a name for itself in the cybercrime arena. The group primarily targets sectors such as education, healthcare, manufacturing, and government. Rhysida employs a double extortion technique, stealing data before encrypting it and threatening to publish it unless a ransom is paid. The ransomware is written in C++ and uses the ChaCha20 encryption algorithm, with ransom notes generated as PDF documents named “CriticalBreachDetected.pdf.”
Penetration and Vulnerabilities
Rhysida typically gains initial access through phishing campaigns and leveraging valid credentials. Once inside a network, the group uses tools like Advance IP/Port Scanner and Sysinternals PsExec for lateral movement and deployment of the ransomware. The Washington Times, like many media organizations, may have been vulnerable due to the high volume of sensitive data they handle and the constant need for connectivity, making them an attractive target for ransomware groups.
Implications and Next Steps
The attack on The Washington Times underscores the growing threat posed by ransomware groups like Rhysida. As the deadline for the ransom approaches, the newspaper faces critical decisions on how to respond to the cybercriminals' demands while safeguarding their data and reputation.
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.