Rhysida ransomware group claims crippling British Library cyber attack

British Library continues to experience a major technology outage due to a disruptive cyber attack

Add bookmark

Michael Hill
11/21/2023

Rhysida ransomware operators have claimed responsibility for a highly disruptive cyber attack on the British Library. The group shared a low-res image on its leak site that appears to show a snippet of data stolen from the famous library. Meanwhile, the library’s website remains down, with services experiencing outages and interruption that could go on for weeks or even months, the library said.

The British Library notified the public last month about a “major technology outage” due to a cyber incident. Last week, the library confirmed the incident was the result of a ransomware attack launched “by a group known” for such criminal activity. The Rhysida gang seems to be the culprit with the group opening an auction for the stolen data with a deadline for bids ending on November 27.

Last week, a new cyber security advisory warned of the threats posed by emerging ransomware variant Rhysida. The advisory, published jointly by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI) and the Multi-State Information Sharing and Analysis Center (MS-ISAC), disseminated the known indicators of compromise (IOCs) and tactics, techniques and procedures (TTPs) of the ransomware operators. Observed as a ransomware-as-a-service (RaaS) model, Rhysida actors have compromised organizations in education, manufacturing, information technology and government sectors.

British Library continues to experience major tech outage due to cyber attack

In a recent update, the British Library said it is continuing to experience a major technology outage as a result of the cyber attack. “The outage is still affecting our website, online systems and services, as well as some onsite services including Wi-Fi. We anticipate restoring many services in the next few weeks, but some disruption may persist for longer.”

The library said it is aware that some data has been leaked which appears to be from its internal HR files. “We have no evidence that data of our users has been compromised. However, if you have a British Library login and your password is used elsewhere, we recommend changing it as a precautionary measure,” it stated.

In the meantime, the library has taken “targeted protective measures” to ensure the integrity of its systems, and it is continuing to investigate the attack with the support of the UK National Cyber Security Centre (NCSC), the Metropolitan Police and cybersecurity specialists.

Rhysida ransomware group known to engage in double-extortion

Rhysida operators are known to engage in “double extortion” – demanding a ransom payment to decrypt victim data and threatening to publish the sensitive exfiltrated data unless the ransom is paid. “Rhysida actors direct victims to send ransom payments in Bitcoin to cryptocurrency wallet addresses provided by the threat actors. Rhysida ransomware drops a ransom note named “CriticalBreachDetected” as a PDF file – the note provides each company with a unique code and instructions to contact the group via a Tor-based portal,” read the recent cyber security advisory.

The contents of the ransom note are embedded as plain-text in the ransom binary, offering network defenders an opportunity to deploy string-based detection for alerting on evidence of the ransom note. “Rhysida threat actors may target systems that do not use command-line operating systems. The format of the PDF ransom notes could indicate that Rhysida actors only target systems that are compatible with handling PDF documents,” the advisory added. Known Rhysida IoCs include Onion Mail email accounts rhysidaeverywhere@onionmail[.]org and rhysidaofficial@onionmail[.]org for services or victim communication.

Update (11/29/2023): In Late November, Rhysida published most of the data it claimed to have stolen from the British Library with the group’s website indicating that 490,191 files are included in the leak, totaling 573 GB. Renowned security researcher and creator of Have I Been Pwned? Troy Hunt said the dump looks “rather substantial” in a post on X (formerly Twitter).

Meanwhile, the British Library has confirmed claims that data had been stolen and advised customers to change passwords if they have reused them elsewhere.

Cyber Security Hub’s All Access: Malware and Ransomware event provides actionable insights on how to detect, deflect and defend against rising ransomware challenges.