Rhysida ransomware gang claims British Library cyberattack

Hackers in library

The Rhysida ransomware gang has claimed responsibility for a cyberattack on the British Library in October, which has caused a major ongoing IT outage.

Rhysida is auctioning off the data it reportedly stole from the United Kingdom's national library systems. The gang is accepting bids from interested parties over the next seven days.

"With just 7 days on the clock, seize the opportunity to bid on exclusive, unique, and impressive data," the gang says.

"Open your wallets and be ready to buy exclusive data. We sell only to one hand, no reselling, you will be the only owner!"

The ransomware group also leaked a low-resolution screenshot of what looks like ID scans stolen from the library's compromised system.

On Wednesday, the FBI and CISA warned of Rhysida's opportunistic attacks targeting organizations across a broad range of industry sectors.

"Threat actors leveraging Rhysida ransomware are known to impact 'targets of opportunity,' including victims in the education, healthcare, manufacturing, information technology, and government sectors," the two agencies said.

"Observed as a ransomware-as-a-service (RaaS) model, Rhysida actors have compromised organizations in education, manufacturing, information technology, and government sectors and any ransom paid is split between the group and affiliates."

British Library entry on Rhysida's leak websiteBritish Library auction on Rhysida's leak website (BleepingComputer)

Stolen HR documents leaked online

A leak of HR documents stolen from the British Library was also confirmed today by the library's press office, which warned users to reset their passwords as a precautionary measure.

However, the UK's national library has yet to find evidence that the attackers have gained access to other information during the incident.

"We have now confirmed that this was a ransomware attack, by a group known for such criminal activity. We are aware that some data has been leaked, which appears to be from files relating to our internal HR information," it said.

"We have no evidence that wider user data has been compromised. However, we are recommending as a precautionary measure that if users have a password for British Library services that they also use elsewhere, they should change it."

The British Library first confirmed that a ransomware attack was behind this major outage last week.

The attackers encrypted the library's systems on Saturday, October 28, and the resulting IT outage continues to impact the British Library's online systems, services, and certain onsite facilities, such as Wi-Fi, with the website still offline almost three weeks after the attack.

The library estimates that it will restore many of its services within the next few weeks, but some disruptions might persist for an extended period.

The library's website sees an annual influx of over 11 million visitors, while its collections are accessed daily by more than 16,000 individuals onsite and online. 

The British Library collection spans over 150 million items stored across 625 kilometers of shelves. Approximately 3 million new items are added to its archives yearly as the library receives copies of every publication released in the UK and Ireland.