Rhysida ransomware group claims attack on Martinique

A ransomware group that first emerged in May has added the government of Martinique to its leak site.   Although there is no current notice on Martinique’s Facebook page, on May 24, they posted a notice about the cyberattack: A machine translation of the notice reads: #Cyberattack Implementation of the continuity plan On May 16, 2023, a cyberattack impacting the Community was detected. As soon as it was discovered, measures were taken to isolate the information system and stopping the attackers: this disrupts heavily on the activities of the community and directly impacts its users and partners. The teams, accompanied by cybersecurity experts, are mobilized to identify the causes of this attack and gradually restore the activities, in particular on the priority themes that are the finance, solidarity and education. Regarding the solidarity services, the Collectivity makes every effort to ensure the payment of the social benefits due. Regarding the education services, technical solutions are set up to restore internet access to colleges and high schools.The services of the rectorate and the CTM coordinate in order to ensure the good performance of exams. Regarding financial services, from Thursday, the Community will be able to issue purchase orders and ensure the payment of bills. These must be filed in the format paper from the “mail” service in Plateau Roy. Concerning aid and subsidy services, the filing of requests will be made in paper format to the “mail” service at Plateau Roy due to the unavailability of dedicated platforms. There does not seem to be any update on their Facebook page since then.   DataBreaches did not review all of the files leaked by the Rhysida ransomware group, but as the screencap of just a small portion of the file listing suggests, they do appear to be government-related files. Unlike other groups that often provide a brief summary of what kinds of files they are leaking, Rhysida offers no information on the size of the data leak or its contents.   DataBreaches attempted to contact Rhysida to ask whether they had locked Martinique’s files and whether Martinique had attempted to negotiate with them at all.  DataBreaches also sent an email to Martinique asking them a number of questions about the claimed attack and data leak. Replies were not received by publication from either, but if the attack occurred on or about May 16, and there are leaked files dating to shortly before that date, then Rhysida didn’t wait long to dump the data. Because Rhysida ransomware first appeared in May, not much is known about the ransomware or the group. The Martinique listing is one of four listings on the leak site, with the other listings being an English school, a Swiss manufacturer, and an Australian immunodiagnostic tech firm. If Rhysida has any particular focuses or sector, it is not yet clear. And unlike some other groups like BlackCat, LockBit, and Royal, they do not seem to be listing victims to warn them publicly before leaking them. The only entries on the site currently are the ones that they have leaked totally. None of the listings indicate when Rhysida attacked or encrypted the victims. Sentinel One and Secplicity both provide early information and analyses of Rhysida ransomware and how the group operates.    

About The Author