Rhysida attacks Ayuntamiento de Arganda City Council
Rhysida Ransomware Gang Attacks Ayuntamiento de Arganda City Council
The Rhysida ransomware gang has attacked Ayuntamiento de Arganda City Council. Ayuntamiento de Arganda City Council is the City Council of Arganda del Rey, a municipality in the Community of Madrid, Spain. The City Council, or Ayuntamiento, is the local governing body responsible for managing the municipality's affairs and providing services to its residents.
Rhysida posted Ayuntamiento de Arganda City Council to its data leak site on June 4th, claiming to have stolen data, including agreements and PII documents, and threatening to leak all stolen data by July 10th if the City Council fails to pay the ransom.
Rhysida Ransomware Group Emergence
The Rhysida ransomware group emerged in May 2023 and introduced a victim support chat portal on the TOR network. They present themselves as a "cybersecurity team" and claim to be helping their victims by targeting their systems and exposing potential security issues.
Method of Attack
Rhysida deploys its ransomware through various methods, including Cobalt Strike or similar frameworks, as well as phishing campaigns. Analysis of Rhysida ransomware samples suggests that the group is still in the early stages of development. The ransomware lacks certain common features seen in contemporary ransomware, such as VSS removal. However, the group follows the practices of modern multi-extortion groups by threatening to distribute the stolen data publicly.
Upon execution, Rhysida displays a cmd.exe window and scans all files on local drives. Victims are instructed to contact the attackers using the TOR-based portal and their unique identifier provided in the ransom notes. The group only accepts payment in Bitcoin (BTC) and provides victims with instructions on purchasing and using BTC through the victim portal. Victims are also given an additional form on the payment portal to provide authentication and contact details to the attackers.
The Rhysida ransom notes are written as PDF documents and placed in the affected folders on the targeted drives.
Disclaimer
The Halcyon Attacks Lookout Database is compiled using publicly available information based on the hosting choices of real-world threat actors and data from a variety of trackers. This information is provided in accordance with principles of fair use. Halcyon has made reasonable efforts to sanitize and verify the data; however, we do not guarantee the accuracy, completeness, or reliability of the information provided. Updates to the database are made as new source data becomes available from reputable sources. By accessing, viewing, or using the information within the Halcyon Attacks Lookout Database, you acknowledge and agree to do so entirely at your own risk. No reliance should be placed upon the information for decision-making, and Halcyon disclaims all liability for any inaccuracies or omissions in the data.
See Halcyon in action
Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!