Hernando County’s data is now available for download on the dark web. This means that the county did not pay the ransomware and now Rhysida is releasing the information to anyone who wants it. They say, “All files are uploaded to public access, data hunters, enjoy.” There are 11 downloadable files, which they say contain 6,190,346 files and are 3.2 terabytes.
Releasing the files for download is a common tactic employed by groups that distribute ransomware. They punish the organization that lost the data by releasing the data where bad actors can take advantage of it.
This means that all the data that was taken is potentially being exploited by bad actors. You need to monitor your credit, especially if you had a W-9 form as a county vendor with your social security number on it. It is also a good idea to sign up for the Hernando Clerk’s property fraud alert https://or.hernandoclerk.com/LandmarkWeb/FraudAlert if you own property in Hernando County.
A little background on the Rhysida Group. According to Trend Micro, the group was first observed in May 2023. The group is known to practice double extortion. The first extortion is when they lock you out of your files by encrypting them and they demand a ransom. The second extortion is that they will release your information on the dark web if the ransom is not paid. We are in the second phase at the moment.
The group is known to start their attacks with a phishing email to gain initial access. They then use PowerShell scripts to disable antivirus protection and modify the active directory. Then, the data is encrypted with AES and the AES keys are encrypted with a 4096-bit RSA key.
South Korean researchers discovered an error in the Rhysida code and have published a decryption tool. This tool can be downloaded from the Korea Internet and Security Agency’s (KISA) website.