The British Museum, a renowned cultural institution in the UK, suffered a significant cyberattack in late October 2023. The attack resulted in a major IT outage, disrupting essential services. This affected the library’s operations, including electronic payments, internet connectivity, and order collection facilities.
Rhysida, a notorious ransomware group, claimed responsibility for the attack on the British Museum. The group is known for its disruptive cyber activities targeting various sectors, including education, healthcare, and government. Rhysida operates under a ransomware-as-a-service (RaaS) model, often employing double extortion tactics. This involves stealing sensitive data before encrypting the victims’ files and then threatening to publish the stolen data unless a ransom is paid. In this attack, Rhysida leaked passport scans and HMRC employment documents as proof of their infiltration, and started an auction for the stolen data with a starting bid of 20 Bitcoin, approximately $745,000.
Modus Operandi
Rhysida primarily gains access through old vulnerabilities like ZeroLogon and employs phishing and stolen credentials to breach VPNs, particularly targeting organizations without Multi-Factor Authentication (MFA). They are known to use ‘living off the land’ techniques, blending in with typical network traffic using pre-loaded administrative tools.
Ties to Other Groups
Security researchers have linked Rhysida’s activities to groups like the Vice Society, noting similarities in tactics and techniques. Vice Society is known for major attacks like the one on the LA Unified School District.
Response and Advisory
Following the attack, the British Museum has been providing regular updates and working to restore affected services. The US’ Cybersecurity and Infrastructure Security Agency (CISA) released an advisory on November 15 to raise awareness of the Rhysida ransomware strain.
Conclusion
The Rhysida attack on the British Museum highlights the persistent threat posed by ransomware groups to cultural and educational institutions. Organizations must stay vigilant, update their cybersecurity practices, and ensure the implementation of robust security measures like MFA to mitigate such risks.
Further Reading
- Rhysida Ransomware Group Claims Attack on British Museum
- CISA Advisory on Rhysida Ransomware
- Tactics and Techniques of Rhysida Ransomware