Rhysida attacks Federal University of Mato Grosso do Sul

Incident Date: Sep 01, 2023

Attack Overview
VICTIM
Federal University of Mato Grosso do Sul
INDUSTRY
Education
LOCATION
Brazil
ATTACKER
Rhysida
FIRST REPORTED
September 1, 2023

Rhysida Ransomware Gang Attacks Federal University of Mato Grosso do Sul

The Rhysida ransomware gang has attacked the Federal University of Mato Grosso do Sul. The Federal University of Mato Grosso do Sul (Universidade Federal de Mato Grosso do Sul or UFMS) is a prominent public research university located in the state of Mato Grosso do Sul, Brazil. It is one of the federal universities in Brazil and is known for its commitment to education, research, and community engagement. Rhysida posted the Federal University of Mato Grosso do Sul to its data leak site on October 2nd but provided no further details.

Emergence of Rhysida Ransomware Group

The Rhysida ransomware group emerged in May 2023 and introduced a victim support chat portal on the TOR network. They present themselves as a "cybersecurity team" and claim to be helping their victims by targeting their systems and exposing potential security issues.

Method of Attack

Rhysida deploys its ransomware through various methods, including Cobalt Strike or similar frameworks, as well as phishing campaigns. Analysis of Rhysida ransomware samples suggests that the group is still in the early stages of development. The ransomware lacks certain standard features in contemporary ransomware, such as VSS removal. However, the group follows the practices of modern multi-extortion groups by threatening to distribute the stolen data publicly.

Execution and Ransom Process

Upon execution, Rhysida displays a cmd.exe window and scans all files on local drives. Victims are instructed to contact the attackers using the TOR-based portal and their unique identifier provided in the ransom notes. The group only accepts payment in Bitcoin (BTC) and provides victims with instructions on purchasing and using BTC through the victim portal. Victims are also given an additional form on the payment portal to provide authentication and contact details to the attackers. The Rhysida ransom notes are written as PDF documents and placed in the affected folders on the targeted drives.

See Halcyon in action

Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!

1
2
3
Let's get started
1
1
2
3
1
1
2
2
3
Back
Next
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.