Skip links

Yacht dealer to the stars attacked by Rhysida ransomware gang

The Rhysida ransomware group claims it was responsible for the cyberattack at US luxury yacht dealer MarineMax earlier this month.

MarineMax, which posted multibillion-dollar revenues last year, disclosed a cyberattack to the Securities and Exchange Commission (SEC) on March 10, saying portions of its business were disrupted as a result of the containment measures it enacted.

At the time, the Clearwater, Florida company didn’t mention any involvement of ransomware, and its operations were said to have “continued throughout this matter in all material respects.”

The Form 8-K filed with the SEC earlier this month states: “The Company does not maintain sensitive data in the information environment impacted by the incident.”

Rhysida this week posted a snippet of the data it claims to have stolen from MarineMax to its website, but the montages of documents don’t clearly or conclusively reveal their nature. The majority of the leaked documents appear to be related to accounts and finances.

We asked the crooks if they could confirm exactly what kind of data they allege they took from MarineMax, but they didn’t immediately respond.

In typical fashion for the group, Rhysida says it is holding a seven-day auction on its site. If it receives a bid it deems fair for the value of the data it claims to have stolen, it will sell it to a single third party on an exclusive basis, rather than making it public.

This method essentially acts as a second means to monetize an alleged breach if the victim refuses to pay. In the usual double extortion ransomware scenario, the attacker requests a ransom, then dumps the stolen data online if the victim doesn’t pay.

Rhysida would still likely make the data public if it doesn’t receive a bid to its satisfaction – the current price is set at 15 Bitcoin ($1.007 million) – but the auction offers a potential plan B payout that other groups rarely utilize.

“With just seven days on the clock, seize the opportunity to bid on exclusive, unique, and impressive data,” its website reads.

“Open your wallets and be ready to buy exclusive data. We sell only to one hand, no reselling, you will be the only owner!”

MarineMax deals in new and used boats, brokers yachts, and markets itself as “the world’s largest recreational boat, yacht, and superyacht services company.”

Given the nature of its business and the value of the products it deals with, its clientele is likely comprised of high earners and wealthy elites – individuals who would not be too keen on having any sensitive data and accounting information in the hands of criminals.

If the data stolen by Rhysida did indeed include this kind of information, it would be easy to make a case for it being valued at 15 Bitcoin ($1.007 million), given the potential phishing and financial fraud campaigns that miscreants could carry out.

Keen readers of El Reg will remember that Rhysida was responsible for the attack on the British Library last year – one from which the national institution is still trying to recover. It’s still the gang’s biggest scalp to this day.

Shortly after the incident, the US Cybersecurity and Infrastructure Security Agency (CISA) published an extensive report on the group, raising awareness of its typical behaviors so organizations can plug any holes it regularly exploits.

CISA says it sees similarities between the operations of the group, named after a genus of centipede, and those of Vice Society ransomware gang. It’s also known to remote into MFA-less victims’ networks using stolen credentials, by phishing employees, or by exploiting vulnerabilities such as Zerologon. ®