Rhysida ransomware leaks documents stolen from Chilean Army

Threat actors behind a recently surfaced ransomware operation known as Rhysida have leaked online what they claim to be documents stolen from the network of the Chilean Army (Ejército de Chile).

The leak comes after the Chilean Army confirmed on May 29 that its systems were impacted in a security incident detected over the weekend on May 27, according to a statement shared by Chilean cybersecurity firm CronUp.

The network was isolated following the breach, with military security experts starting the recovery process of affected systems.

The army reported the incident to Chile's Computer Security Incident Response Team (CSIRT) of the Joint Chiefs of Staff and the Ministry of National Defense.

Days after the attack was disclosed, local media reported that an Army corporal was arrested and charged for his involvement in the ransomware attack.

The Rhysida ransomware gang has now published 30% of all the data they claim to have stolen from the Chilean Army's network after initially adding it to their data leak site and claiming the attack.

"Rhysida ransomware published around 360,000 Chilean Army documents (and according to them, it's only 30 %)," CronUp security researcher Germán Fernández said.

​The Rhysida ransomware gang describes itself as a "cybersecurity team" that aims to help victims secure their networks, and it was first spotted by MalwareHunterTeam on May 17, 2023.

Since then, the ransomware group has already added eight victims to its dark web data leak site and has published all stolen files for five of them.

Rhysida threat actors are breaching the targets' networks via phishing attacks and dropping payloads across compromised systems after first deploying Cobalt Strike or similar command-and-control (C2) frameworks, according to SentinelOne.

Samples analyzed so far show that the gang's malware uses the ChaCha20 algorithm, and that is still in development, as it's missing features most other ransomware strains come with by default.

Upon execution, it launches a cmd.exe window, starts scanning the local drives, and drops PDF ransom notes named CriticalBreachDetected.pdf after encrypting the victims' files. 

The victims are redirected to the gang's Tor leak portal, where they're told to enter the unique identifier in the ransom notes to access payment instructions.

"The payloads are missing many commodity features such as VSS removal that are synonymous with present-day ransomware," SentinelOne says.

"This said, the group threatens victims with public distribution of the exfiltrated data, bringing them in line with modern-day multi-extortion groups."