The Grammy Award–winning Houston Symphony has been claimed by the Qilin ransomware group, the latest in a string of cyberattacks to hit the cultural and performing arts sector.
The Houston, Texas-based performing arts organization was posted on the ransomware gang’s dark leak blog on Friday, along with a five-day deadline and a TOX address to contact the hackers.
Just last week, the group laid claim to a ransomware attack on the local Detroit PBS public broadcasting station. In the past 24 hours, it also posted the newspaper conglomerate Lee Enterprises, whose attack occurred on February 3rd.
“All data will be published on March 5th, 2025. With over 300GB of files stolen,” the group wrote, which happens to be the same deadline given to Lee Enterprises.
In a strange twist while writing this article, the Houston Symphony suddenly disappeared from Qilin’s leak site. One can only assume it is because the arts organization has made contact with the cybercriminal cartel and may be negotiating a ransom demand.
Cybernews has reached out to the Houston Symphony and is awaiting comment. Screenshots of the Qilin dark leak site were taken before the organization was removed from its blog.
Established in 1913, the Houston Symphony is one of the nation’s oldest performing arts organizations with an ensemble of 60 professional musicians. The symphony presents nearly 170 concerts each year, including individual performances at over 1,000 community-based performances at schools, community centers, hospitals, and churches, according to its website.
With a yearly operating budget of roughly $28.8 million, its performance hall can seat up to 2900 audience members, and serves close to 400,000 people annually.
The Qilin gang provided an array of samples from the cache of files it claims to have exfiltrated from the Houston Symphony’s network servers.
A total of six samples were posted on the leak site, including what appear to be sensitive files containing the Houston Symphony’s budget reports dated October 2024, cash flow statements from last May, and an investor packet containing the symphony’s strategic plans for 2030 and its progress in 2024.
The samples further show a dataset of all board and trustee members listing personally identifiable information (PII) such as name, address, personal and business phone numbers, and personal and business email address.
It’s not clear if any of the sensitive information allegedly stolen in the hack contains any financial or personal information of musicians, employees, or season/single event ticketholders.
Who is Qilin?
A 2023 March undercover investigation by Group-IB has shed some light into the inner workings of the lesser known Qilin gang.
The group of double extortionists, which operates as a ransomware-as-a-service (RaaS) model, was first seen on the cybercriminal circuit in 2022 and has been known for using phishing emails to target its victims.
Sometimes using the alternate name "Agenda," Qilin is believed to be Russian-speaking, as the gang vows to avoid targeting CIS nations.
Qilin was responsible for the 2024 high-profile attack on the UK’s National Health Services (NHS) partner Synnovis labs, which disrupted services at multiple London hospitals for weeks, causing the NHS to declare a 'critical incident.'
The group has more recently been linked to exploiting its victims by harvesting Google Chrome credentials and with the destructive zero-day vulnerability known as the “Citrix Bleed,” also used last year by the ALPHV/BlackCat ransom group in the massive United Health attack.
The Citrix bug was disclosed in 2023 by the cloud computing company and since patched, although many companies have been slow to do so, according to security insiders.
Other past victims include Yanfeng, one of the top North American auto parts suppliers for GM and Chrysler, Jeep, Dodge, and Ram.
Your email address will not be published. Required fields are markedmarked