Rhysida ransomware exposes stolen data from the Chilean Army

June 19, 2023
Rhysida Ransomware Stolen Data Chile Army South America Data Leak Dark Web Threat Actors

The recently emerged Rhysida ransomware actors have exposed the alleged stolen documents from the network of the Chilean Army. The data leak occurred after the Chilean Army admitted its systems suffered a security incident last month.

The affected entity quickly isolated the breach, and its security team initiated a recovery process to address the incident. Based on reports, the Army notified Chile’s Computer Security Incident Response Team (CSIRT) of the Joints Chiefs of Staff about the incident.

More information revealed that the government arrested an Army corporal for his alleged involvement in the ransomware attack.


The Rhysida ransomware group has slowly published stolen data from the Chilean military sector.


According to investigations, the Rhysida ransomware operators have released 30% of all the information they captured from the Chilean Army’s network. These troves of data are now available on the group’s data leak website after claiming the ransomware attack.

Researchers noted that the ransomware group had published about 360,000 Chilean Army-related documents.

However, this ransomware group claimed that they are a cybersecurity team with a primary objective of helping victims secure their networks. Researchers first spotted this group last May.

This malicious entity since then has already included approximately eight victims in its dark web data leak website and has published all five stolen archives.

Cybersecurity experts noticed that the Rhysida threat actors are infiltrating their targets’ networks through phishing campaigns and launching payloads across infected systems. However, they usually drop these payloads after deploying Cobalt Strike or similar C2 frameworks.

The group have allegedly adopted the ChaCha20 algorithm for its malware. However, the malware is still in the developmental stage since its missing features that most other ransomware variants come with by default are absent.

The malware also launches a cmd[.]exe window upon execution. After encrypting a target’s files, it could also scan the local drives and launch PDF ransom notes. Lastly, this ransomware operation redirects its victims to the gang’s Tor leak portal, where they will be instructed to provide the unique identifier in the ransomware note they received to access the payment instructions.

About the author

Leave a Reply