Attackers drop terrabytes of US manufacturing giant’s data

The Rhysida ransomware gang has leaked nearly 2TB of sensitive data from US manufacturing giant Gemini Group, exposing employee and client records across North America.

The Russia-linked ransomware gang dropped a note on its dark web leak site, claiming to have stolen data from US manufacturing giant Gemini Group INC.

Ransomware gangs often use leak sites as a means to pressure companies into paying a ransom. However, if the negotiations fail, the attackers often drop stolen datasets online for anyone to download.

This is likely to be the case for the Gemini Group. The note first appeared at the end of October. After granting a one-week waiting period, a common tactic for the Rhysida gang, the attackers released a 1.9TB dataset containing over 1.7 million files allegedly belonging to the company.

Cybernews researchers have investigated its contents.

What data was leaked on the dark web

• List of interns and their mentors
• Employee payroll & vacation balance documents, including full names, job positions, hire dates, net pay amounts, and number of days taken off
• Internal document templates
• List of customers, including company names, full names of representatives, and company addresses
• Various invoices
• Yearly purchasing reports
• Health insurance documents, including vendor names, services, health insurance plans used by the company, and their costs
• Leaked personal employee documents and pictures, including their PII, home addresses, SSNs, dates of birth, and salary details

Exposing sensitive employee data puts them at risk of identity theft, fraud, social engineering, or even potential physical security risks.

“This leak could undermine employee trust in the company, especially if they are not fully transparent about the situation. The company could face legal consequences and loss of trust from its clients as well, and exposed financial details could cause a competitive disadvantage,” the Cybernews research team explained.

Cybernews has contacted Gemini Group for comment and clarification about the cybersecurity incident and whether they had negotiated with the attackers. A response has yet to be received.

Headquartered in Bad Axe, Michigan, Gemini Group is a Tier 1 supplier with 18 locations in the United States and Mexico. Major automotive companies that have used Gemini Group’s production include Ford, Toyota and General Motors.

The company provides a range of products and services, including plastic extrusion, blow molding, and metal tooling for forging and aluminum extrusion. The company’s production is used by major players in the automotive industry.

The company employs over 1,400 employees and generates $300 million in annual revenue.

What is Rhysida ransomware?

The gang is known for going after “targets of opportunity.” It has infiltrated various sectors, including education, healthcare, manufacturing, and local governments, according to an updated US Defense Department profile on the gang.

Security researchers at Barracuda noted that the group appears to be either from Russia or a country in the Commonwealth of Independent States (CIS), which includes former Soviet Union nations like Belarus, Kazakhstan, and others.

In its latest operation, Rhysida was caught phishing users using Microsoft Teams, Zoom, and PutTy with malvertisments, aiming to infect their devices with malware and gain access to company data via employees using these platforms.

According to Cybernews' dark web monitoring tool Ransomlooker, the gang has claimed more than 236 victims on its dark blog since its inception in May 2023.

In September, the gang claimed to have breached the Maryland Department of Transportation (MDOT), which operates one of the largest ports in the USA. Data samples of stolen information included passports, IDs, background checks, and other sensitive documents.

In August, a Rhysida attack caused chaos at the Cookville Regional Medical Center, serving the surrounding Tennessee and Kentucky regions. The gang posted over a dozen data samples containing patient information, and the outage prompted IT teams to work around the clock to restore the systems.

In May, the gang claimed to have attacked Peru's government systems. The official government website manages the National Identification Registry, which includes passports, taxpayer information, health insurance, police records, labor records, and more. The Peruvian government denied the ransomware attack.

It has also claimed to have breached one of Brazil’s biggest auto dealerships, named Carrera. Among the allegedly stolen sensitive data were passports and contracts. The gang asked for a ransom of $1 million.

Back in January, the Rhysida gang claimed it had cracked into the servers of Montreal-Nord, a borough in Quebec province, and slapped them with a $1 million ransom demand.

In the last quarter of 2024, Rhysida also made headlines by targeting the Seattle-Tacoma International Airport with a 100 BTC ransom demand. The attack wrecked critical systems and triggered a multi-week outage that brought one of the West Coast’s busiest hubs to its knees.

Airlines like Delta, Singapore, and Alaska were reportedly forced to go full analog and issue handwritten boarding passes.

The same year, the gang claimed a major US news outlet, the Washington Times as a victim. It claimed to be selling the Washington Times' “exclusive” data in an online auction for five bitcoins.

---

Unlock more exclusive Cybernews content on YouTube.