Rhysida Ransomware Hits Engedi: $94K Bitcoin Ransom Demanded
Rhysida Ransomware Group Targets Engedi: A Detailed Analysis
Engedi, a not-for-profit organization based in Mackay, Queensland, has become the latest victim of a ransomware attack by the Rhysida group. The attack was publicly disclosed on August 22, when Rhysida listed Engedi on their darknet leak site, claiming to have exfiltrated sensitive data and threatening to publish it unless a ransom of 10 bitcoin (approximately $94,000 AUD) is paid.
About Engedi
Established in 1985, Engedi is dedicated to providing support services for individuals with disabilities. The organization offers a range of services, including group skills programs, therapy support, NDIS plan management, and individual support. Engedi employs between 11 to 20 individuals, allowing for a personalized approach to service delivery. The organization is recognized for its commitment to enhancing the quality of life for its clients and has become a standout in the community due to its long-standing presence and significant contributions to disability support services.
Attack Overview
The Rhysida ransomware group claims to have exfiltrated sensitive data from Engedi’s network, including passport scans, identity documents, an account application, and a credit card scan. A low-resolution photomontage shared on their dark web portal includes at least one document linked to an Engedi staff member. The group has given Engedi 6–7 days to pay the ransom before the data is published.
About Rhysida Ransomware Group
Rhysida is a relatively new player in the cybercrime arena, first sighted in May 2023. The group primarily targets sectors such as healthcare, education, manufacturing, information technology, and government. Rhysida ransomware is written in C++ and targets the Windows Operating System. The group employs a double extortion technique, stealing data before encrypting it and threatening to publish it unless a ransom is paid. Rhysida uses the ChaCha20 encryption algorithm and generates ransom notes as PDF documents named “CriticalBreachDetected.pdf.”
Penetration and Vulnerabilities
Rhysida typically leverages phishing campaigns to deploy their ransomware. They rely on valid credentials and establish network connections through VPN for initial access. Upon infiltrating a victim's network, the group uses net commands and tools like Advance IP/Port Scanner to gather critical information about domains. They also leverage Sysinternals tools like PsExec for lateral movement. Engedi’s vulnerabilities likely stem from the common challenges faced by small to medium-sized organizations, such as limited cybersecurity resources and potential gaps in employee training on phishing threats.
See Halcyon in action
Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!