Rhysida ransomware gang: We attacked the British Library

The Rhysida ransomware group says it's behind the highly disruptive October cyberattack on the British Library, leaking a snippet of stolen data in the process.

A low-res image shared to its leak site appears to show a handful of passport scans, along with other documents, some of which display the format of HMRC employment documents.

Rhysida started an auction for the stolen data with a deadline for bids ending just before 0800 UTC on November 27. The criminals said there will be only one single-party winner that will be the sole recipient of the stolen data. The starting bid has been set at 20 Bitcoin – roughly $745,000.

"With just 7 days on the clock, seize the opportunity to bid on exclusive, unique, and impressive data," Rhysida's message on its website states. "Open your wallets and be ready to buy exclusive data. We sell only to one hand, no reselling, you will be the only owner."

It goes without saying that any recipient has no way of knowing this and if Rhysida is indeed behind the attack, it may keep unlimited backups.

The Register approached the British Library for comment but it did not reply.

The British Library confirmed a major IT outage at the end of October, owing to a cybersecurity issue. It confirmed the incident to be ransomware in nature on November 14, but Rhysida's claim only arrived this morning, Monday November 20.

The disruption caused by the attack remains significant. When the attack was first confirmed, the library's famous red brick site in London's St Pancras was operating on a cash-only basis while electronic payments were down. Wireless internet connectivity for visitors was also unavailable, and order collection facilities were limited.

The website remains down at the time of writing, as it has been for weeks.

Regular updates have been provided via the library's X account and a separate website, with services still experiencing outages and disruption.

Responding to a question via social media regarding potential data theft, the British Library said on November 15 that it still wasn't aware of the full extent of the attack. 

"We're currently only able to confirm which services are still available but we're working to understand and resolve the situation as quickly as possible, and to restore our other services," it said.

"We'll share updates on how this may affect our users as soon as we can. We're really sorry for any inconvenience this has caused."

Rhysida's claims of being behind the attack come weeks after the British Library first confirmed the incident, and one week after it was confirmed as ransomware – an indication that negotiations may have broken down.

"Ransomware attacks naturally come with a negotiation phase immediately after the attack which can take time to find the sweet spot," Jake Moore, global cybersecurity advisor at ESET, told The Register. 

"If payments are to be considered by the victim, this difficult period can take days before more details are released. The victim parties often keep as much of their attacks under wraps but the criminal group will want to quickly claim responsibility.

"When a group leaves it some time to claim their crimes, it can usually mean that such negotiations have been going back and forth fighting for the right price from both sides. Seen as a [ransomware-as-a-service] model, Rhysida are likely to have not been paid the ransom they have finally demanded and are now pushing out the next phase of the attack by threatening the release of data."

Rhysida rousing authorities

The US' Cybersecurity and Infrastructure Security Agency (CISA) released an advisory on November 15 to spread awareness of the ransomware strain which has been opportunistically targeting organizations since May 2023.

Primarily targeting the education, healthcare, manufacturing, information technology, and government sectors, Rhysida is known for gaining access to victims via old vulnerabilities like ZeroLogon, and using phishing and stolen credentials to authenticate to VPNs of organizations that lack MFA by default.

• Cybersecurity snafu sends British Library back to the Dark Ages
• Internet Archive justifies its vast 'copyright infringing' National Emergency Library of 1.4 million books by pointing out that libraries are closed
• Textbook publishers sue shadow library LibGen for copyright infringement
• Your password hygiene remains atrocious, says NordPass

Some security researchers have linked Rhysida's activity to groups like Vice Society, noting similarities in the tactics and techniques in Rhysida-linked attacks. 

Rhysida is thought to be a ransomware-as-a-service (RaaS) group in its own right, and Vice Society – believed to be behind major attacks like the one on the LA Unified School District – may be using its kit, researchers have theorized.

It operates on a double extortion model, as appears to be evidenced by the British Library attack, and the group tends to use living off the land techniques – using pre-loaded admin tools to blend in with typical network traffic. ®