Rhysida ransomware steals massive Chilean military files

A ransomware group called Rhysida has leaked files online that it claims were stolen from the Chilean Army (Ejército de Chile) network.

Chilean cybersecurity firm CronUp issued a statement saying the Chilean army confirmed on May 29 that its systems were affected by a cybersecurity incident on May 27.

After the cyber attacker compromised the system, Chile immediately initiated a network quarantine and military security experts began repairing the affected system and reported the incident to the Chilean Computer Security Incident Response Team (CSIRT) of the Joint Chiefs of Staff and the Ministry of Defense. Coincidentally, a few days after the cyberattack was revealed, local media reported that an Army corporal had been arrested for his involvement in the ransomware attack.

Large amount of data stolen from Chilean military

After successfully stealing the data, the Rhysida ransomware group added it to a data breach website, arrogantly stating that the data represented only 30 percent of all data stolen from the Chilean military's network. Scarily, CronUp security researcher Germán Fernández notes that the Rhysida ransomware released some 360,000 Chilean army documents. If that's 30%, it means that more than 1 million documents were stolen from the Chilean military.

The Rhysida ransomware ring was first discovered on May 17, 2023, by MalwareHunterTeam, which describes itself as a "cybersecurity team" designed to help victims secure their networks. Since then, the Rhysida ransomware group has "added" eight victims to its dark web data breach site, and has published the stolen data of five of them.

SentinelOne claims the Rhysida threat attackers deployed Cobalt Strike or a similar command-and-control (C2) framework to compromise the target network through a phishing attack and drop payloads on compromised systems.

Security researchers analyzing the sample results show that the group's malware uses the ChaCha20 algorithm (which is known to be still under development because it lacks the default functionality of most other ransomware). When executed, it launches a cmd.exe window, starts scanning the local drive, and "drops" a PDF ransom note called CriticalBreachDetected.PDF after encrypting the victim's files.

Once attacked, the victim is redirected to the group's Tor leak portal, where the victim is told to enter a unique identifier from the ransom note to obtain payment instructions.