Rhysida Ransomware Hits IT Firm CNS, Threatens Data Leak
Rhysida Ransomware Group Targets Computer Networking Solutions
Overview of the Attack
The Rhysida ransomware group has claimed responsibility for a cyberattack on Computer Networking Solutions (CNS), a well-established IT services provider based in San Jose, California. The attackers have threatened to publish the stolen data within 6–7 days if their demands are not met. This incident highlights the growing threat of ransomware attacks on small and mid-sized businesses.
About Computer Networking Solutions
Computer Networking Solutions, operating under the trade name LightSpeed DataLinks, specializes in providing comprehensive IT solutions and support services tailored to small and mid-sized businesses. Founded in 1991, CNS offers a range of services including managed IT support, hardware sales, cybersecurity, and cloud solutions. The company serves various sectors such as hospitality, manufacturing, real estate, education, CPA firms, medical practices, and law firms. CNS is known for its client-centric approach, acting as an extension of their clients' IT departments and providing tailored solutions to meet specific needs.
Vulnerabilities and Impact
CNS's extensive involvement in diverse industries makes it a lucrative target for ransomware groups. The company's reliance on high-quality hardware and robust cybersecurity measures, while generally effective, may have been insufficient against the sophisticated tactics employed by Rhysida. The attack could potentially disrupt CNS's operations and compromise sensitive client data, affecting their reputation and client trust.
About the Rhysida Ransomware Group
The Rhysida ransomware group emerged in May 2023 and has quickly gained notoriety for targeting sectors such as education, healthcare, manufacturing, information technology, and government. Rhysida ransomware is written in C++ and primarily targets Windows operating systems. The group employs a double extortion technique, stealing data before encrypting it and threatening to publish it unless a ransom is paid. Rhysida uses the ChaCha20 encryption algorithm and demands Bitcoin payments through a TOR-based portal.
Penetration Tactics
Rhysida typically gains initial access through phishing campaigns and leveraging valid credentials. Once inside the network, the group uses tools like Advance IP/Port Scanner and Sysinternals PsExec to enumerate environments and deploy ransomware. The group's ability to exploit network vulnerabilities and use sophisticated encryption methods makes them a formidable threat to businesses like CNS.
Sources
Disclaimer
The Halcyon Attacks Lookout Database is compiled using publicly available information based on the hosting choices of real-world threat actors and data from a variety of trackers. This information is provided in accordance with principles of fair use. Halcyon has made reasonable efforts to sanitize and verify the data; however, we do not guarantee the accuracy, completeness, or reliability of the information provided. Updates to the database are made as new source data becomes available from reputable sources. By accessing, viewing, or using the information within the Halcyon Attacks Lookout Database, you acknowledge and agree to do so entirely at your own risk. No reliance should be placed upon the information for decision-making, and Halcyon disclaims all liability for any inaccuracies or omissions in the data.
See Halcyon in action
Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!