Oregon DEQ won’t say if ransomware group took employee data in cyberattack | #ransomware | #cybercrime

The Oregon Department of Environmental Quality on Friday declined to confirm or deny reports that a well-known ransomware group stole employee files in a recent cyberattack at the agency.

The department faced questions after several cybersecurity websites reported that ransomware group Rhysida is behind the cyberattack at the DEQ and has stolen and auctioned off the agency’s data, including sensitive employee information.

“DEQ is aware of these claims. They are still under investigation,” said DEQ spokesperson Lauren Wirtis.

DEQ originally reported it was investigating a cyberattack on April 9. The attack put a near-halt on work at the agency and shuttered vehicle emissions inspection stations. Employees worked entirely from their phones while Enterprise Information Services, which administers the state’s information technology and cybersecurity controls, rebuilt their laptops.

Emission stations reopened five days later and most agency servers are now back online, Wirtis said.

Over the past two and half weeks, DEQ officials have repeatedly maintained the agency has found no evidence of a data breach.

But 10 days ago, according to cybersecurity websites such as Security Week, ransomware group Rhysida took credit for the cyberattack, claiming it had stolen 2.5 terabytes of files. Rhysida also said it would sell off the data for 30 bitcoin, or about $2.5 million, according to the report. The Oregonian/OregonLive could not independently confirm the report.

Wirtis declined to comment on whether Rhysida had contacted the department or if it had asked for a ransom.

Several high-profile attacks have been attributed to Rhysida ransomware in recent years, including a 2023 attack on California-based health care system Prospect Medical Holdings and a 2024 attack at the Port of Seattle.

An Oregon law says businesses and other entities must follow a stringent protocol in being transparent when data has been breached, including timely notification of residents whose data has been stolen.