Irish Information Security Forum

Recent Ransomware Attack Disrupts Art Galleries

A recent wave of ransomware attacks disrupted the operations of art galleries using "Gallery Systems" platforms. The attacks were orchestrated by a relatively new ransomware gang known as Rhysida.

Rhysida, thought to be a Russian cyber group or the CIS, has attacked companies and institutions in several countries. The gang uses a common technique known as 'double extortion' – threatening to leak personal data. They render an organisation’s computers inaccessible by infecting them with malicious software – encryption malware – and then demand a payment, typically in cryptocurrency, to unlock the files.

In a process dubbed “double extortion”, the majority of gangs steal data at the same time and threaten to release it online, which they hope will strengthen their negotiating hand. Rhysida emerged as the assailant this week by posting low-resolution images of personal information gathered in the attack online, offering the stolen data for sale on its leak site with a starting bid of 20 bitcoin, or about £590,000.

Platforms Affected

eMuseum

The attack primarily affected Gallery Systems' eMuseum platform, which allows visitors to explore online collections. Websites for institutions like the Museum of Fine Arts Boston, the Rubin Museum of Art in New York, and the Crystal Bridges Museum of American Art faced outages, leaving virtual doors shut to eager audiences of many art gallery websites conntected to these sytems. However, the impact went beyond public access.

Gallery Systems Hacked

collections management TMS platform

Some museums reported losing access to the Gallery Systems Collections TMS program, which holds crucial information like donor details, loan agreements, and artwork provenance. The British Library confirmed that personal data stolen in a cyber-attack last month has appeared for sale online.

Gallery Systems have over 800 clients with some 260 or more using the eMuseum, TMS platforms

A customer notification issued by Gallery Systems reads:-

customer ransomeware notification letter Gallery systems

How does Rhysida Attack? (*)

Rhysida is deployed in multiple ways. Primary methods include deployment via Cobalt Strike – a penetration testing tool often misused by threat actors for its advanced exploitation and post-exploitation capabilities – or phishing campaigns. This suggests that Rhysida’s targets could potentially span a wide range of sectors and industries, as these attack methods are not specific to any particular type of organization.

Rhysida ransom notes are written as PDF documents to affected folders on targeted drives. This could potentially provide some insight into the types of systems or networks that Rhysida targets, as the presence of these ransom notes could indicate that the targeted systems have the capability to handle PDF documents. This indicates that the group is not targeting command-line operating systems used on network devices or servers.

Rhysida Ranson Note PDF

The group threatens victims with public distribution of the exfiltrated data, bringing them in line with modern-day multi-extortion groups. Rysida can be appended to the list of the groups that follow the double-extortion strategy.

Rhysida’s ransomware is a 64-bit Portable Executable (PE) Windows cryptographic ransomware application compiled using MINGW/GCC.

References

(*) Threat Profile: Rhysida Ransomware (socradar.io)

(1) Software Used by Hundreds of Museums Taken Down by Ransomware Attack. https://uk.pcmag.com/security/150326/software-used-by-hundreds-of-museums-taken-down-by-ransomware-attack.
(2) A Cyberattack Hits Software Used by Museums, Causing Online Collections to Go Down. https://news.artnet.com/art-world/cyberattack-hits-software-used-by-museums-online-collections-2416159.
(3) Top online gallery provider takes systems offline following ransomware attack. https://www.msn.com/en-us/news/technology/top-online-gallery-provider-takes-systems-offline-following-ransomware-attack/ar-AA1mpZH0.
(4) Hackers Have Stolen Private Information From Donor Lists to 200 .... https://news.artnet.com/art-world/hackers-hit-smithsonian-parrish-corning-1905256.
(5) Weeks After a Ransomware Attack, the National Gallery of Canada Is .... https://news.artnet.com/art-world/national-gallery-canada-ransomware-attack-recovering-2302273.

If you are interested in finding out more about the IISF, or would like to attend one of our Chapter Meetings as an invited guest, please contact the
IISF Secretary:

By email:
secretary@iisf.ie

By post:

David Cahill

Information Security

GPO, 1-117
D01 F5P2

Enhance your Cybersecurity knowledge and learn from those at the coalface of information Security in Ireland

Forum SPONSORS

Invitations for Annual Sponsorship of IISF has now reopened.

(your logo & profile link here)

Sponsors are featured prominently throughout the IISF.IE website, social media channels as well as enjoying other benefits Read more

More News

Cyber Europe 2024
The 7th edition of this pan-European series of Cyber Security exercises takes place in June 2024.

Guidelines for secure AI system development
For providers of any systems that use AI, whether created from scratch or built on top of tools and services provided by others.

IISF Members / Sponsors

secured by edgescan digital security radar logo