Ransomware attack on MarineMax yachts claimed by Rhysida gang

The Rhysida ransomware group has claimed MarineMax – an American luxury yachting conglomerate – as its latest victim, posting the company on its dark leak page Thursday.

The luxury yacht dealer and boating lifestyle brand first announced the breach on March 12th, filing a notice with the US Securities and Exchange Commission (SEC), labeling it a third-party related “cybersecurity incident.”

MarineMax calls itself the largest boat, yacht, and superyacht company in the world, and they could be correct.

With a revenue of 2.39 million in 2023, MarineMax boasts 130 locations around the world, to include 21 states in the US and roughly 65 marinas and boat storage facilities.

A one-stop shop for its clients, the full-service company offers financing, insurance, maintenance, and storage for boat owners, as well as private yacht charters and luxury adventures to the public.

The gang’s price for the luxury yacht dealer’s “exclusive, unique, and impressive data” is a bargain at only 15 BTC – Thursday’s market equivalent of exactly $774,415.65 – the post states. MarineMax presumably has roughly six days to pay the gang's undisclosed ransom amount, or its data will be sold to the highest bidder, according to the Rhysida countdown clock.

Rhysida MarineMax dark leak site
Rhysida dark leaksite. Image by Cybernews.

Below the 15 bitcoin price tag is a message box for interested buyers stating, “We can not answer you if your price looks like a joke.”

The group posted numerous samples of the alleged stolen data, which, when examined by Cybernews, looks to include MarineMax earnings reports, balance sheets, bank account wire transfers, customer databases, and other financial documents.

Rhysida MarineMax dark leak site samples
Rhysida dark leaksite. Image by Cybernews.

Last week, the Clearwater, Florida-based company claimed in its 8K SEC filing that the portion of the network involved in the breach “does not maintain sensitive data,” although the samples seem to prove otherwise.

Cybernews has reached out to MarineMax several times, but has not received a response.

WTW, a cyber insurance firm offering companies cybersecurity protection policies, said ransomware gangs often consider luxury brands a prime target, mainly because of the sensitive data they typically hold on high-value clients.

WTW says victims would rather pay the ransomware than risk reputational damage as a result of that data being leaked to the public.

Rhysida's victim list grows

The threat actors came onto the ransomware scene in May 2023, according to a US government profile on the group published last August. The profile labeled the group's namesake ransomware as "unsophisticated" and typically launched through phishing attacks or seeking vulnerabilities using Cobalt Strike pen-testing tools.

Rhysida is known for going after “targets of opportunity,” including the education, healthcare, manufacturing, information technology, and government sectors, and is thought to have ties to the Vice Society ransom gang.

Earlier this month, the gang hit the Anne & Robert H. Lurie Children’s Hospital in Chicago and then – in a move criticized as ‘lower than low’ by security researchers – sold all the stolen data online after failing to secure a $4 million ransom demand (60 BTC).

Known to operate as a ransomware-as-a-service (RaaS) group selling its hacking tools to other groups for a cut of the profits, the criminal outfit often practices double extortion, where even after a victim has paid for a decryption key, the gang threatens to leak the stolen data unless it receives a second payout.

This February, a research team from the Korea Internet & Security Agency (KISA) was able to crack the gang’s encryption code and shared a free Rhysida Decryption Tool and manual on its website, but we can only assume Rhysida has created an updated version of its ransomware variant since then.

MarineMax marina logo

The group typically launches its unsophisticated namesake ransomware via phishing attacks and Cobalt Strike to breach a victim’s network and deploy its payloads.

In 2023, Rhysida was behind the British Library hack, the Prince George’s Country school system attack in Maryland, and auctioned stolen data from Insomniac Games, known for Spider-Man, Spyro the Dragon, and Ratchet & Clan video games.

Last summer, the group also claimed responsibility for a debilitating attack on the California-based healthcare conglomerate Prospect Medical Holdings (PMH), knocking out services for dozens of hospitals and healthcare facilities across several states.

In the PMH live auction, the threat actor offered up more than 2.3TB of sensitive data allegedly stolen in that attack, including an entire SQL database.

Since the Rhysida warning bulletin was released last August, the gang has claimed a a total of 81 victims on its dark leak site, an average of 6 victims per month as of this report.

More from Cybernews:

UN adopts first global artificial intelligence resolution

BBC working on AI models, content deal – media

US accuses Apple of smartphone monopoly in antitrust lawsuit

Microsoft Office 2024: available on Mac and as a one-time purchase

House passes important privacy bill overshadowed by TikTok fever

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked