Montreal North claimed by Rhysida ransomware gang for $1 million


Canada's Montréal-Nord (Montreal North) – one of the nineteen boroughs of the French-speaking city of Montreal in Quebec Province – was claimed by the Rhysida ransomware group over the weekend.

The Kremlin-linked gang posted the Montreal city borough on its dark leak blog on Sunday, along with several samples of alleged documents stolen from the borough's government networks.

A countdown clock was posted on the Rhysida auction page with 4 days left before the gang says it will sell the borough's alleged data to the highest bidder if an undisclosed ransom demand is not paid by the deadline.

ADVERTISEMENT
Rhysida Montreal North
Rhysida dark leak site. Image by Cybernews.

Rhysida is asking 10 bitcoin for the supposed stolen data, the equivalent of just over $1 million as of Monday.

The group did not say how many files it allegedly exfiltrated from Montreal North’s servers, instead only providing what appears to be a small collage of samples it claims to have taken.

The illegible files – including an email, administrative contract, and one Canadian passport – are mostly in French.

Rhysida Montreal North samples

Although the city of Montreal is the most populated metro in Canada's Quebec province, the population of the suburban borough of Montreal North stands at just over 85,000, according to government statistics published in 2023.

Cybernews has reached out to Montreal North representatives for comment and is awaiting a response at the time of this report.

Rhysida known for double extortion

ADVERTISEMENT

The Russian-affiliated Rhysida group has claimed more than 153 victims on its dark blog since its inception in May 2023.

The gang is known for going after “targets of opportunity” and has infiltrated various sectors, including education, healthcare, manufacturing, and local governments, according to an updated US Defense Department profile on the gang from last November.

A February 2024 Trend Micro profile on the group revealed the threat actors often gain initial access to its victims using phishing attacks and, in the past, have “posed as a cybersecurity team that offered to help its victims identify security weaknesses in their networks and systems,” the researchers said.

Once inside a network, the group is known to seek system vulnerabilities using Cobalt Strike pen-testing tools, launching its namesake ransomware to encrypt a victim’s system.

The Vice Society ransomware group has been linked to Rhysida through similar tactics, techniques, and procedures (TTPs) and by using Rhysida's ransomware as an affiliate, purportedly splitting a portion of its earnings with the gang.

This past fall, Rhysida claimed an attack on Easterseals – an organization dedicated to helping the disabled – along with a $1,350,000 ransom tag.

In the last quarter of 2024, Rhysida also made headlines targeting (and taunting) the Seattle-Tacoma International Airport with a 100 BTC ransom demand after an attack that caused a weeks-long systemwide outage at the busy West Coast hub.

The Sea-Tac breach even forced some major airlines, like Delta, Singapore, and Alaskan Airlines, to handwrite passenger boarding passes.

Ernestas Naprys Paulius Grinkevicius justinasv Konstancija Gasaityte profile
Don’t miss our latest stories on Google News

Last July, Rhysida successfully targeted the City of Columbus, Ohio, triggering weeks-long outages of city services and the reconstruction of the city’s official website.

ADVERTISEMENT

Other previous victims include the Washington Times, the UK’s National British Library, the Anne & Robert H. Lurie Children’s Hospital in Chicago, and the Prospect Medical Group network of US hospitals and healthcare facilities.

Last February, a research team from the Korea Internet & Security Agency (KISA) was able to crack the gang’s encryption code and shared a free Rhysida Decryption Tool and manual on its website.