Rhysida Ransomware Strikes Again: China Energy Engineering Corporation Falls Victim

The Chinese firm China Energy Engineering Corporation (CEEC), a leading entity in the nation’s energy and infrastructure sectors, has fallen prey to cybercriminals. The ransomware group Rhysida has publicly disclosed the hacking of the corporation’s systems and the subsequent leak of sensitive information.

According to the hackers’ statement on the Tor network, they plan to auction these “impressive data” with an opening bid of 50 bitcoins. Should no buyer emerge, the stolen files will be publicly released seven days after the announcement.

CEEC is engaged in the development and execution of numerous projects, including initiatives in the coal industry, hydroelectric power stations, nuclear energy, and technologies reliant on renewable energy sources.

This is far from the first incident involving Rhysida. Since May 2023, the group has attacked at least 62 companies across various sectors, including education, healthcare, manufacturing, information technology, and the public sector, with the British Library being among the recent victims.

The FBI and CISA have expressed concern over the escalating activities of Rhysida. On November 15th, as part of the #StopRansomware campaign, a joint warning was issued. It contained detailed information about the methods and techniques employed by the group, as well as indicators of potential compromise that companies should vigilantly monitor.

The hackers utilize external remote access services, such as VPN and RDP, for initial network penetration, and exploit critical vulnerabilities, including Zerologon in Microsoft’s Netlogon Remote Protocol.

The report also highlights similarities in Rhysida’s actions to other notorious gangs, like Vice Society. It has been confirmed that group members operate within the ‘ransomware-as-a-service’ (RaaS) model, providing fellow cybercriminals with tools and infrastructure to manage ransomware in exchange for a share of the profits.