The notorious Rhysida ransomware gang has attacked Ejército de Chile, the Chilean Army and the territorial collectivity of Martinique. The threat actor made their activities public by posting about their “successful infiltration” of the Chilean Army on a dark web forum.
The Army of Chile, responsible for the country’s defense, has allegedly fallen victim to this cyber attack. The Rhysida gang, seemingly proud of their achievement, announced the breach and auctioned off sensitive data obtained from the Army.
Similarly, the territorial collectivity of Martinique also suffered an alleged blow from the Rhysida cyber attack. Martinique, a French overseas territory, has been targeted by the threat actor in randomized cyber attacks.
Cybersecurity analyst Dominic Alvieri tweeted about the alleged cyber attacks claimed by the Rhysida ransomware gang. He also shared a screenshot of the group’s post sharing details about the cyber attack.
The aftermath of these two attacks is yet to be fully understood, but The Cyber Express has reached out to the affected parties to confirm the security incidents.
Rhysida ransomware gang launches series of cyber attack
The Rhysida ransomware gang has gained notoriety for its victim support chat portal hosted via TOR (.onion).
They claim to be a “cybersecurity team” that aims to raise awareness about the security vulnerabilities of their targets.
However, their methods involve infiltrating systems and holding the victims’ data hostage, demanding ransom payments for release.
The specific targets of the Rhysida Ransomware Gang seem random, and their campaigns are not explicitly targeted but rather opportunistic. This suggests that any organization or individual could fall victim to their attacks, reported SentinelOne.
The deployment of Rhysida ransomware occurs through various means. The primary methods involve utilizing Cobalt Strike or similar frameworks and launching phishing campaigns.
Analysis of Rhysida ransomware samples indicates that the group is still in the early stages of the development cycle.
Some features commonly found in ransomware, such as VSS removal, are missing from their payloads. Nevertheless, the Rhysida gang follows the trend of modern multi-extortion groups by threatening victims with the public distribution of exfiltrated data.
Modus operandi of Rhysida ransomware gang
Once launched, Rhysida ransomware displays a cmd.exe window, systematically traversing all files on the local drives of the infected system.
To negotiate with the attackers, victims are instructed to contact them through their TOR-based portal using the unique identifier provided in the ransom notes.
Payment in Bitcoin (BTC) is the only accepted method, and victims are given information on purchasing and using BTC on the victim portal.
Upon entering their unique ID on the payment portal, additional forms are provided to victims, enabling them to provide authentication and contact details to the attackers.
To ensure their message is delivered effectively, the Rhysida Ransomware Gang writes ransom notes in PDF documents placed in the affected folders on the targeted drives. These two cyberattacks highlight the threat actor’s ability to infiltrate well-protected systems.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
