Rhysida Ransomware Gang Leaks 2TB From US Manufacturing Giant

Gemini Group, a big manufacturer in the US, is currently dealing with a massive data leak after a breach. Apparently, a ransomware gang referred to as the Rhysida stole two terabytes of the company’s sensitive data and released the info online. This follows failed ransom negotiations with Gemini Group.

A Tactic to Force Payment

The Russia-linked Rhysida ransomware gang has publicly leaked a huge dataset from Gemini Group INC. The group initially posted a note on its dark web leak site at the end of October.

This is a common pressure tactic used by cybercriminals. They then granted a one-week waiting period, which is standard for Rhysida.

After that week had passed, the attackers released the data. The leaked dataset is a massive 1.9 terabytes in size. It contains over 1.7 million files that allegedly belong to the manufacturing giant.

Using open-source intelligence (OSINT) techniques, among others, security researchers have already probed its contents to verify the leak’s authenticity and scope. The company has not commented on whether it negotiated with the gang.

What Data Was Exposed?

The scope of the leaked information is severe. It exposes both the company’s internal operations and the personal lives of its employees.

The trove of data includes:

• Employee payroll and vacation balances with full names and net pay.
• Health insurance documents showing plans, vendors, and costs.
• Lists of interns and their assigned mentors.
• Client lists with company names, representative names, and addresses.
• Personal employee documents containing SSNs, home addresses, and salary details.
• Various internal invoices and yearly purchasing reports.

This exposure puts Gemini Group’s employees at serious risk. There’s now a possibility that bad actors could use the leaked data to carry out identity theft, fraud, and social engineering attacks.

Moreso, the company itself is also in a dire situation – security researchers explained potential fallout. They believe the leak could undermine the trust employees put in the company, especially if they fail to come out clean about how serious the situation really is.

They also warned of “legal consequences and loss of trust from its clients.” Exposed financial details could even cause a competitive disadvantage.

Who is the Rhysida Gang?

Rhysida is a formidable ransomware actor known for going after “targets of opportunity.” The US Defense Department says this group is messing with education, hospitals, factories, and even the government. The sophistication of such gangs is often fueled by individuals with formal security training, a trend highlighted by the recent case of security experts who became ransomware affiliates and now face federal charges.

Security experts think these guys are from Russia or maybe a CIS country nearby. Lately, they’ve been trying to trick people into getting infected by using fake ads for things like Microsoft Teams, Zoom, and Putty.

And these guys? They’ve been super busy since May 2023. Cybernews’ Ransomlooker tool shows they have claimed over 236 victims.

Their recent high-profile attacks include the Maryland Department of Transportation and Cookeville Regional Medical Center. They also claimed attacks on Peru’s government, a major Brazilian auto dealership, and the Seattle-Tacoma International Airport.

In the Seattle attack, they demanded 100 BTC. Airlines had to go old-school and handwrite boarding passes during the outage.

Gemini Group, based in Bad Axe, Michigan, stands out as a Tier 1 supplier with 18 sites across the US and Mexico. Big names like Ford, Toyota, and General Motors rely on their products.

With more than 1,400 employees and $300 million rolling in each year, Gemini is a major player. The story around the breach is still developing, and so far, the company hasn’t said if they’ve had any talks with the attackers.