The Washington Times newspaper claimed by Rhysida ransomware cartel


Major US news outlet The Washington Times has been named as the latest Rhysida ransomware victim, appearing front and center on the cybercriminal gang’s dark leak blog on Wednesday.

The Rhysida cartel claimed to be selling the Washington Times' “exclusive” data in an online auction, with a countdown clock showing a seven day deadline to start.

“Open your wallets and be ready to buy exclusive data. We sell only to one hand, no reselling, you will be the only owner!,” the gang posted.

Asking price for the purported cache is listed at 5 bitcoin, the exact equivalent of $304,518 as of the crypto markets on Wednesday.

The right-leaning Washington DC-based daily newspaper is considered one of the top ten most visited conservative media outlets in the US, receiving more than 3 million online visitors per month and over 50,000 print readers per day, according to a report by Statista.

The Beltway newspaper was first offered as an alterative to the more liberal Washington Post daily newspaper during the Reagan administration.

Rhysida Washington Times post
Rhysida dark leak site. Image by Cybernews.

The ransomware group was recently associated with last month’s attack on the US City of Columbus, Ohio, which involved a purported 6T of sensitive data exfiltrated from the municipality.

Similar to The Washington Times, the mid-western city was also given a seven-day countdown on the Rhysida leak site before the stolen cache was published by the gang on August 5th.

Rhysida did not specify the amount of the data it claims to have stolen from Times servers, but did provide an alleged sample as ‘proof’ of the attack.

Although difficult to make out, Cybernews was able to examine the sample, which appeared to contain various corporate files, including bank statements, employee documents, and a copy of someone’s Texas driver's license and social security card.

Rhysida Washington Times sample
Rhysida dark leak site. Image by Cybernews.

Cybernews was not able to independently verify the claims and has reached out to the Washington Times, who did not respond before publishing. The Times website was up and running with no obvious disruptions on Wednesday.

Offered in both print and online, The Washington Times was founded in 1982 by the international media conglomerate News World Communications, which is associated with the Unification Church Christian religious movement.

Besides The Washington Times, the Unification Church – whose followers were coined the ‘Moonies’ after its Korean founder and leader Sun Myung Moon – owns several other media outlets worldwide, including the US wire service United Press International (UPI), as well as newspapers in Japan, South Korea, and South America.

The politically influential movement, which has been called a dangerous cult over the years, changed its name to the Family Federation for World Peace and Unification (FFWPU) in 1994.

Rhysida victim count rises

The Russian-affiliated Rhysida group has claimed 114 victims on its dark blog since its inception in May 2023.

The gang is known for going after “targets of opportunity” and has infiltrated various sectors including education, healthcare, manufacturing, and local governments, according to an updated US Defense Department profile on the gang from last November.

Rhysida is said to operate as a ransomware-as-a-service (RaaS) outfit selling its “unsophisticated” hacking tools to other “criminal affiliates” for a cut of the profits, and often practices double extortion, where even after a victim has paid for a decryption key, the gang threatens to leak the stolen data unless it receives a second payout.

This year the gang claimed responsibility for breaching the UK’s national British Library, considered the world’s largest repository of historical knowledge, as well as the Anne & Robert H. Lurie Children’s Hospital in Chicago.

Rhysida August 2024 victim count
Rhysida dark leak site. Image by Cybernews.

In a move criticized as ‘lower than low’ by security researchers, after its $4 million ransom demand (60 BTC) went unpaid, Rhysida eventually leaked all of the data it had stolen from the children’s hospital as payback.

The gang also carried out attacks this year on luxury yacht dealer Marine Max, Maryland’s Prince George’s Country school system, and Spider-Man video game maker Insomniac Games.

In 2023, victims included California-based healthcare conglomerate Prospect Medical Holdings (PMH), which knocked out services for dozens of hospitals and healthcare facilities across several states, as well as Munich-based video maker Travian Games.

This February, a research team from the Korea Internet & Security Agency (KISA) was able to crack the gang’s encryption code and shared a free Rhysida Decryption Tool and manual on its website.