Internal documents leaked as Rhysida claims responsibility for British Library ransomware attack

The British Library, which was hit by a ransomware attack that has disabled its computer systems, website, phone network and public Wi-Fi for more than three weeks, confirmed yesterday that internal HR documents have been leaked following the attack.

The Rhysida ransomware group has claimed responsibility for the attack, which has left readers seeking access to books and manuscripts having to make requests from manual catalogues at the library’s King’s Cross building, in what it describes as a “very limited service”.

On Monday 20 November, the hacking group launched a seven-day auction on its website, offering data it claims to have stolen from the British Library.

“With just 7 days on the clock, seize the opportunity to bid on exclusive, unique, and impressive data. Open your wallets and be ready to buy exclusive data. We sell only to one hand, no reselling, you will be the only owner,” it said.

Rhysida has listed a bid price of 20 bitcoins (about £600,000) on a site on the dark web to purchase the data, but may publish the data anyway if there are no takers.

The library has made no public comment on Rhysida’s claims, but said in an update on X, formerly known as Twitter, that some HR data appeared to have been leaked from its internal HR files.

A low-resolution image on Rhysida’s Tor website appears to show passports and employment-related documents.

“We have no evidence that data of our users has been compromised,” the library said in an update. “However, if you have a British Library login and your password is used elsewhere, we recommend changing it as a precautionary measure.”

The library has faced significant disruption to its sites in St Pancreas, London, and its annex in Boston Spa, Yorkshire, since it reported that a “technical issue” had affected its IT systems on 28 October. It confirmed on 14 November that it had been hit by a ransomware attack.

The library has been left without a working phone service or website, and is only able to take cash payments. It confirmed in updates that it is working with the Metropolitan Police and the National Cyber Security Centre (NCSC) to conduct a forensic investigation.

High price demanded for British Library data

Victoria Kivilevich, director of threat research at security company KELA, said the price demanded by Rhysida for the British Library data was relatively high, but not the highest, which was 50 bitcoins for data stolen from Prospect Medical Holdings in August 2023.

“Rhysida group doesn’t always manage to sell the data they try to auction, as can be seen from looking at their website. For example, they recently tried to sell data stolen from Azienda Ospedaliera Universitaria Integrata di Verona for 10 bitcoins, but it is now publicly available on their website, indicating there were no buyers,” she said. 

An advisory note from the FBI and the US Cybersecurity and Information Structure Agency (CISA) last week said the malware, first identified in May 2023, is offered as ransomware as a service to criminal groups, which then share profits with the ransomware owners.

Hackers gain access through VPNs

Criminals typically gain access to infected computer systems by using known vulnerabilities, such as ZeroLogon.

Attackers have also compromised credentials to access virtual private networks (VPNs), particularly where organisations have failed to enable two-factor authentication by default.

Groups using the malware engage in “double extortion” by demanding a ransom payment to decrypt victims’ data and threatening to publish the data unless a ransom is paid.

Victims receive a PDF ransom note that provides each company attacked with a unique reference code and instructions to contact the group on the dark web.

Jim Walter, senior threat researcher at SentinelLabs, told Computer Weekly: “Some of their early, and notable, targeting included the Chilean Army. They have also hit government targets in Kuwait and the Dominican Republic.

“In addition to government entities, Rhysida has targeted organisations in the education and academic sectors, so an attack on the British Library is within the group’s purview,” he added.

Marcelo Rivero, senior malware research engineer at Malwarebytes, said Rhysida typically uses “living off the land” techniques to exploit network administration tools built into the Windows operating system. This allows attackers to evade detection by blending in with normal network activities.