Rhysida attacks Kolbe Stripling

Incident Date: Mar 20, 2024

Attack Overview

VICTIM

Kolbe Stripling

INDUSTRY

Construction

LOCATION

USA

ATTACKER

Rhysida

FIRST REPORTED

March 20, 2024

Request Removal

Kolbe Striping Compromised by Rhysida Ransomware Group

Kolbe Striping has been compromised by the Rhysida ransomware group. The attack reportedly involves miscellaneous documents, including employees’ data, and a ransom of 3 BTC (approximately $190,000), with a deadline of 27 March has been demanded.

Kolbe Stripling (KSI) offers both durable and lasting pavement markings as well as temporary markings designed to suit customers’ needs. Its products include epoxy, preformed tape, preformed thermoplastic, and paint. In addition, its equipment and products also provide for recessed and reflective markings as well as removal of markings as needed for projects.

Rhysida Ransomware: A Growing Threat

Rhysida is a RaaS (Ransomware as a Service) that was first observed in May of 2023 and has become one of the more prevalent threats in the latter half of 2023. Rhysida engages in data exfiltration for double extortion and maintains both a leaks site and a victim support portal on TOR. They are thought to be responsible for attacks against the Chilean military and more recently against Prospect Medical Holdings which impacted services at hundreds of clinics and hospitals across the US.

In Q4-2023, the FBI and CISA released a joint advisory on Rhysida operations. Rhysida has been steadily increasing its attack volume and continuing to expand the targeted industries, but volume is modest compared to leaders. Rhysida deploys its ransomware through various methods, including Cobalt Strike or similar frameworks, as well as phishing campaigns.

Analysis of Rhysida ransomware samples suggests that the group is still in the early stages of development. The ransomware lacks certain standard features in contemporary ransomware, such as VSS removal. However, the group follows the practices of modern multi-extortion groups by threatening to distribute the stolen data publicly.

Upon execution, Rhysida displays a cmd.exe window and scans all files on local drives. Victims are instructed to contact the attackers using the TOR-based portal and their unique identifier provided in the ransom notes. The group only accepts payment in Bitcoin (BTC) and provides victims with instructions on purchasing and using BTC through the victim portal. Victims are also given an additional form on the payment portal to provide authentication and contact details to the attackers.

The Rhysida ransom notes are written as PDF documents and placed in the affected folders on the targeted drives.

See Halcyon in action

Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!

Let's get started

First Name

Last Name

Phone Number

Buying Timeframe

halcyon.ai is committed to protecting and respecting your privacy, and we’ll only use your personal information to administer your account and to provide the products and services you requested from us. From time to time, we would like to contact you about our products and services, as well as other content that may be of interest to you. If you consent to us contacting you for this purpose, please tick below to say how you would like us to contact you:

I agree to receive other communications from halcyon.ai and acknowledge Halcyon's privacy policy.

You may unsubscribe from these communications at any time. For more information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review our Privacy Policy.

By clicking submit below, you consent to allow halcyon.ai to store and process the personal information submitted above to provide you the content requested.

Back

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.