Internal documents leaked as Rhysida claims responsibility for British Library ransomware attack

Ransomware group Rhysida threatens to sell documents stolen from the British Library to the highest bidder

The British Library, which was hit by a ransomware attack that has disabled its computer systems, website, phone network and public Wi-Fi for more than three weeks, confirmed yesterday that internal HR documents have been leaked following the attack.

The Rhysida ransomware group has claimed responsibility for the attack, which has left readers seeking access to books and manuscripts having to make requests from manual catalogues at the library’s King’s Cross building, in what it describes as a “very limited service”.

On Monday 20 November, the hacking group launched a seven-day auction on its website, offering data it claims to have stolen from the British Library.

“With just 7 days on the clock, seize the opportunity to bid on exclusive, unique, and impressive data. Open your wallets and be ready to buy exclusive data. We sell only to one hand, no reselling, you will be the only owner,” it said.

Rhysida has listed a bid price of 20 bitcoins (about £600,000) on a site on the dark web to purchase the data, but may publish the data anyway if there are no takers.

The library has made no public comment on Rhysida’s claims, but said in an update on X, formerly known as Twitter, that some HR data appeared to have been leaked from its internal HR files.

A low-resolution image on Rhysida’s Tor website appears to show passports and employment-related documents.

“We have no evidence that data of our users has been compromised,” the library said in an update. “However, if you have a British Library login and your password is used elsewhere, we recommend changing it as a precautionary measure.”

The library has faced significant disruption to its sites in St Pancreas, London, and its annex in Boston Spa, Yorkshire, since it reported that a “technical issue” had affected its IT systems on 28 October. It confirmed on 14 November that it had been hit by a ransomware attack.

The library has been left without a working phone service or website, and is only able to take cash payments. It confirmed in updates that it is working with the Metropolitan Police and the National Cyber Security Centre (NCSC) to conduct a forensic investigation.

Screenshot showing Rhysida web page selling data claimed to be stolen from the British Library.
Rhysida is selling data claimed to be stolen from the British Library on its website

High price demanded for British Library data

Victoria Kivilevich, director of threat research at security company KELA Cyber Threat Intelligence, said the price demanded by Rhysida for the British Library data was relatively high, but not the highest, which was 50 bitcoins for data stolen from Prospect Medical Holdings in August 2023.

“Rhysida group doesn’t always manage to sell the data they try to auction, as can be seen from looking at their website. For example, they recently tried to sell data stolen from Azienda Ospedaliera Universitaria Integrata di Verona for 10 bitcoins, but it is now publicly available on their website, indicating there were no buyers,” she said. 

An advisory note from the FBI and the US Cybersecurity and Information Structure Agency (CISA) last week said the malware, first identified in May 2023, is offered as ransomware as a service to criminal groups, which then share profits with the ransomware owners.

Hackers gain access through VPNs

Criminals typically gain access to infected computer systems by using known vulnerabilities, such as ZeroLogon.

Attackers have also compromised credentials to access virtual private networks (VPNs), particularly where organisations have failed to enable two-factor authentication by default.

Screenshot shows British Library website unable to load.
The British Library has been left without a working phone service or website, and is only able to take cash payments

Groups using the malware engage in “double extortion” by demanding a ransom payment to decrypt victims’ data and threatening to publish the data unless a ransom is paid.

Victims receive a PDF ransom note that provides each company attacked with a unique reference code and instructions to contact the group on the dark web.

Jim Walter, senior threat researcher at SentinelLabs, which has produced an analysis on Rhysida told Computer Weekly: “Some of their early, and notable, targeting included the Chilean Army. They have also hit government targets in Kuwait and the Dominican Republic.

“In addition to government entities, Rhysida has targeted organisations in the education and academic sectors, so an attack on the British Library is within the group’s purview,” he added.

Marcelo Rivero, senior malware research engineer at Malwarebytes, said Rhysida typically uses “living off the land” techniques to exploit network administration tools built into the Windows operating system. This allows attackers to evade detection by blending in with normal network activities. 

How the British Library attack unfolded

28 October 2023: The British library reports a “technical issue” with its website. Access to its collections is limited and its Wi-Fi is down. Visitors to the library are frustrated after travelling a long distance to conduct research to find that that they are unable to access newspaper archives and manuscripts.

29 October 2023: The library confirms that the outage has affected all its technology services, including its website, phone lines, and onsite services in London and Yorkshire. Although reading rooms are open, access to the library’s collection is “very limited” and its digital collections are unavailable. Readers are told there is limited access to publications stored in the St Pancras building in London from manual catalogues. Public events are going ahead as planned, but the library can only take cash payments.

31 October 2023: The British Library confirms a cyber security incident has caused a major outage at its sites in St Pancras in London and Boston Spa in Yorkshire. It warns disruption may continue for weeks or longer. PCs and Wi-Fi are unavailable in reading rooms. It is investigating the incident with the National Cyber Security Centre and other specialists.

2 November 2023: The library makes online booking services available on EventBright for events in coming weekend. It is not possible to buy tickets for events at the library in person. The library tells readers that it hopes to have its website back up and running soon.

7 November 2023: The library confirms that it can only accept cash payments at its bookshop.

8 November 2023: The library confirms that it has been the victim of a cyber attack. It says it is working to restore online bookings for future events.

10 November 2023. The library confirms that its phone lines are down so it is unable to take phone calls.

14 November 2023: The library confirms that it has been the victim of a ransomware attack. It is undertaking a forensic investigation with the support of the National Cyber Security Centre, the Metropolitan Police and cyber security experts.

20 November 2023: Ransomware group Rhysida claims responsibility for the attack against the library.

20 November 2023: The British Library confirms that data has been leaked from its HR files as a result of a ransomware attack. It says there is no evidence that readers’ data has been leaked but advises users to change their passwords.

Read more on Security policy and user awareness

Data Center
Data Management