Peru's government systems are reportedly incapacitated on Friday after being hit with a suspected ransomware attack claimed by the Rhysida gang. Now, the cybercriminal gang is asking for hundreds of thousands of dollars in ransom money to release the stolen data.
The Russian-linked gang posted the Peruvian government website on its dark leak blog late Thursday, giving the nation's municipality a mere 6 days (May 9th) to pay an undisclosed ransom demand.
But, according to security researchers at Comparatech, Peruvian officials are denying any ransomware attack took place. “Glitches on the government's website were reported, but the government has said there is no evidence of a #cyberattack,” Comparatech reported on X early Friday morning.
Cybernews can confirm that the South American country’s government website Gob[.]pe was not loading on Friday, although in an official statement seen by the threat intelligence firm Venerix, the government of Peru "indicated that its official website is currently under maintenance."
The intel company further said on X that it has “verified 22% of Rhysida’s claims to date. The rest remain unconfirmed, not disproven.”
With a population of over 33 million, the official government website of the Republic of Peru is listed as the "states single digital platform," containing information on procedures, services, regulations, and more, according to the site description. It also handles the National Identification Registry, including passport registry, the taxpayer registry, health insurance registries, police records, labor records, and more.
Rhysida, a seasoned ransomware group known for its double extortion tactics, is offering to sell the data it allegedly exfiltrated from the government networks for 5 bitcoin (BTC), or roughly $488,000 USD. The threat actor has not disclosed how much data was taken in the heist.
“With just 7 days on the clock, seize the opportunity to bid on exclusive, unique, and impressive data. Open your wallets and be ready to buy exclusive data,” the gang wrote in typical fashion.
“We sell only to one hand, no reselling, you will be the only owner!” it said.
Cybernews can also confirm an array of sample files, purportedly from the stolen cache, was posted on the Rhysida site.
Almost all the file samples are illegible, with one sample that Cybernews examined that appears to be an administrative document with an official stamp and dated June 2023.
It's also not the first ransomware attack targeting a Latin American government. The government of Mexico found itself the victim of an alleged cyberattack carried out by the RansomHub cybercriminal gang last November, knocking its official website offline and claiming over 300 GB of data.
Rhysida has targeted municipalities before
The Russian-affiliated Rhysida group has claimed more than 182 victims on its dark blog since its inception in May 2023.
The gang is known for going after “targets of opportunity” and has infiltrated various sectors, including education, healthcare, manufacturing, and local governments, according to an updated US Defense Department profile on the gang from last November.
Similarly, this January, the group claimed to have infiltrated the servers of Montreal-Nord in Quebec province, asking the Canadian borough to pay out a $1 million (10 BTC) ransom demand. And, last July, Rhysida successfully targeted the City of Columbus, Ohio, triggering weeks-long outages of city services and the reconstruction of the city’s official website.
In the last quarter of 2024, Rhysida also made headlines targeting (and taunting) the Seattle-Tacoma International Airport with a 100 BTC ransom demand after an attack that caused a weeks-long systemwide outage at the busy West Coast hub. The Sea-Tac breach even forced some major airlines, like Delta, Singapore, and Alaska Airlines, to handwrite passenger boarding passes.
In October that year, Rhysida also claimed an attack on Easterseals – a charitable organization dedicated to helping the disabled – along with a $1,350,000 (20 BTC) ransom tag.
A February 2024 Trend Micro profile on the group revealed the threat actors often gain initial access to its victims using phishing attacks and, in the past, have “posed as a cybersecurity team that offered to help its victims identify security weaknesses in their networks and systems,” the researchers said.
Once inside a network, the group is known to seek system vulnerabilities using Cobalt Strike pen-testing tools, launching its namesake ransomware to encrypt a victim’s system.
The Vice Society ransomware group has been linked to Rhysida through similar tactics, techniques, and procedures (TTPs) and by using Rhysida's ransomware as an affiliate, purportedly splitting a portion of its earnings with the gang.
Other previous victims include the Washington Times, the UK’s National British Library, the Anne & Robert H. Lurie Children’s Hospital in Chicago, and the Prospect Medical Group network of US hospitals and healthcare facilities.
Last February, a research team from the Korea Internet & Security Agency (KISA) was able to crack the gang’s encryption code and shared a free Rhysida Decryption Tool and manual on its website.
Your email address will not be published. Required fields are markedmarked