Rhysida ransomware gang claims attacks on governments in Portugal, Dominican Republic

A notorious ransomware gang has claimed attacks against two government institutions this week, both of which confirmed they faced a range of issues due to the incidents.

The city of Gondomar – a suburb about 20 minutes away from the Portuguese city of Porto – said on September 27 that it was the target of a cyberattack that forced officials to take systems offline and contact the country’s National Cybersecurity Center and the National Data Protection Commission and local law enforcement.

The government said that some municipal services would be disrupted while experts worked to resolve the situation. On Monday, officials clarified that all online services offered by the government would be out of operation for the week, but residents could come in person to pay bills, get permits and take other actions.

“Municipal facilities remain open during regular public service hours. There may, however, be constraints resulting from problems of access to computer systems,” they said.

By Friday, the municipality reported that its email systems were still down, making contact with local residents difficult. They again urged residents to visit their offices in person for any needs.

They did not respond to requests for comment about when services would return to normal or whether data on residents had been stolen.

The Rhysida ransomware gang claimed to be behind the attack on Thursday evening, according to cybersecurity expert Dominic Alvieri. They shared samples of passports and other financial documents allegedly stolen from the municipality on their leak site.

The gang recently drew headlines in the U.S. for its devastating attack on Prospect Medical Holdings – which operates 16 hospitals in several states and was forced to redirect ambulances as a result of the incident. The gang previously attacked a hospital in Portugal as well.

The ransomware gang has continued to target governments across the globe, with attacks on Kuwait, Chile and the Caribbean island of Martinique in recent months.

In addition to the attack on Gondomar, the group announced another attack on the Dominican Republic’s Migration Agency, which handle’s the country’s immigration system.

The agency confirmed the incident on Wednesday, publishing a statement saying the hackers stole data.

“These situations, which have increased globally and are becoming more frequent in state institutions and are carried out by groups of international cybercriminals, lead us to work diligently with the authorities to determine the extent of the leak and to make a firm commitment to take action to mitigate the impact and protect the privacy of those affected,” a spokesperson for the Dirección General de Migración said.

Officials said they first detected unusual activity on September 14 before notifying the country’s National Cybersecurity Center.

The data breach involved names, addresses and dates of birth, but the agency said its systems were not encrypted during the attack.

“Since the detection, we have collaborated with the National Cybersecurity Center to implement remediation measures, strengthen controls and monitor possible anomalous activities,” they said.

Rhysida actors posted the organization on its leak site on Wednesday, giving the country seven days to pay a ransom. It is selling the information for 25 BTC – worth about $700,000.

The group – named after centipedes – first emerged in late May 2023 and little is known about their operations.