Ransomware gang Rhysida has claimed responsibility for a cyberattack launched against the British Library last month and launched an auction for the data it alleges it has stolen on its victim blog. The organisation added that the sale will conclude by 27 November with bids opening at 20 Bitcoin, equivalent to £591,000 at the time of writing. This announcement was accompanied by an image showing a selection of the data stolen during its alleged hack, according to The Register, including employment documents and several passport scans.
The claim follows a devastating cyberattack against the British Library in October that crippled most of its online services. The outage took both the institution’s website, public Wi-Fi and card payment services offline, in addition to its online ordering system (the gift shop, however, remains inviolate). Since the attack, the British Library has resorted to updating the public using its X (formerly Twitter) account. A recent post confirmed that the outage had been caused by a ransomware attack. As such, the post continued, “We’ve taken targeted protective measures to ensure the integrity of our systems and we’re undertaking a forensic investigation with the support of NCSC, the Metropolitan Police and cybersecurity specialists.”
Since the attack, many researchers have seen their projects slowed or halted. One London-based historian told the Telegraph that it was now impossible to order items from the British Library’s satellite book depository in West Yorkshire. “It’s possible to get some books, but everything has to be done by hand,” said Elizabeth Prochaska. “Only certain types of books can be ordered – ones that are here.”
Wrong side of Rhysida
Rhysida was first documented by security researchers in May when it claimed to have hacked the Chilean Army. Operating according to a ‘ransomware-as-a-service’ model, the gang leases the use of its ransomware software to other criminals for a fee. After being deployed via phishing attacks, this malware not only locks its victims’ systems but also exfiltrates sensitive data. Access to both is then ransomed. Rhysida’s previous victims also reportedly include the Portuguese city of Gondomar, an operator of 16 US hospitals and the University of the West of Scotland.
Precisely why Rhysida targeted the British Library remains unknown (the institution did not respond to a request for comment from Tech Monitor.) The fact that the gang has begun an auction of the data it allegedly stole from the institution has indicated to some cybersecurity experts that ransom negotiations between the two have broken down. “Rhysida are likely to have not been paid the ransom they have finally demanded and are now pushing out the next phase of the attack by threatening [the] release of data,” ESET’s global cybersecurity advisor Jake Moore told The Register.
A more unusual version of this brinkmanship occurred last week, when the ransomware group BlackCat reported one of its victims to the US Securities and Exchange Commission – though, as a public body funded by the UK government, which is opposed to ransomware payments, a ransom payment from the British Library may always have been unlikely.