www.esentire.com Open in urlscan Pro
104.20.162.46  Public Scan

Form analysis
0 forms found in the DOM

Text Content

BLOG


RHYSIDA RANSOMWARE GROUP, WHICH CRIPPLED THE BRITISH LIBRARY RACKING UP £6 TO £7
MILLION IN RECOVERY COSTS, TURNS ITS WRATH ON HOSPITALS, POWER PLANTS, AND
SCHOOLS IN THE UK, EUROPE, AND THE MIDDLE EAST, WARNS ESENTIRE


BY eSentire Threat Response Unit (TRU)

February 21, 2024 | 21 MINS READ





WANT TO LEARN MORE ON HOW TO ACHIEVE CYBER RESILIENCE?

TALK TO AN EXPERT

On October 31, 2023, the Rhysida Ransomware Group launched a crippling attack on
the British Library. Although the library did not pay the criminals’ ransom
demand of £650,000, library authorities are now estimating that it will cost
between £6 Million and £7 Million to rebuild the library’s IT systems. This
hefty price tag is going to cost the organisation approximately 40 percent of
its “unallocated cash reserves,” according to library officials.

The Rhysida criminals emerged onto the ransomware scene in May 2023, and in less
than nine months, they claim to have victimised 77 companies and public
institutions on their Dark Web leak site. Top global cybersecurity solutions
provider, eSentire, investigated the group’s victim list and the purported
evidence they stole from each organisation and posted to their leak site.

eSentire’s security research team, the Threat Response Unit (TRU), assesses with
high confidence that the companies and public institutions Rhysida claims to
have hit have indeed been compromised by the Rhysida cybercriminals.

In the last three and a half months, the Rhysida group not only compromised the
British Library, but many organisations in the UK, Europe, and the Middle East.
Many of the targets include critical infrastructure such as hospitals, schools,
power plants, and well-known public institutions.

Rhysida operates as a Ransomware-as-a-Service. The group leases their ransomware
tools and infrastructure to affiliates, and the affiliates pay the Rhysida
operators a share of the ransom monies they collect.


THE CONNECTION BETWEEN VICE SOCIETY AND RHYSIDA—PARTNERS IN CRIME?

TRU and other cybersecurity researchers have identified several similarities
between Rhysida’s Tactics, Techniques, and Procedures (TTPs) and those of the
Vice Society Ransomware Group. Vice Society emerged on the ransomware scene in
late 2020 and was extremely active up until May 2023, when the Rhysida group
first appeared.

Similar to Rhysida, Vice Society targeted organisations in the education and
healthcare sectors. One of the ransomware group’s most debilitating attacks was
in September 2022 against the Los Angeles Unified School District (LAUSD). At
the time of the attack, the school district included 1,000 schools and served
approximately 600,000 students.

Two weeks after the attack, the district was still working to recover and bring
its IT systems back online. To add insult to injury, the threat actors
threatened to publish 500 gigabytes of data that they had stolen from the school
district on their underground leak site if the LAUSD didn’t pay the ransom.

The school officials refused to pay the hackers, so they released the stolen
data, which included Social Security numbers, financial information, health
records, and legal records belonging to the students. The students’ parents were
so upset that LAUSD was forced to set up a hotline to respond to their queries.

Interestingly, when Rhysida came on the ransomware scene in May 2023, Vice
Society’s activity dropped off considerably, they only posted a handful of
victims on their leak site between May and November 2023. One might theorise
that Vice Society simply shed its name and adopted the Rhysida title or that the
Vice Society threat actors ditched their operation and joined up with the
Rhysida operators and their affiliates.

The Rhysida threat actors hit their targets with double extortion, demanding
victims pay a hefty ransom to regain access to their data and avoid having their
data exposed online. Although Rhysida is yet to become a household name like
well-known RaaS groups, LockBit and Clop, the criminal gang is quickly catching
up with its notorious peers.

As such, TRU is warning businesses and public entities to put security defences
in place to protect their critical data and applications and avoid business
disruption from the Rhysida group, as well as other threat groups.

Rhysida’s operators and their affiliates are capable of causing substantial
destruction, with little remorse, as readers will see from the following cyber
incidents and the ransom note the threat actors leave each victim (Figure 1).

Figure 1: Rhysida ransom note


RHYSIDA RANSOMWARE GROUP CRIPPLES THE BRITISH LIBRARY

The Rhysida group’s assault against the British Library on October 31, 2023 took
many of the library’s systems down, including online access to their primary
catalogue, which contains 36 million records of printed and rare books, maps,
journals and music scores, depended on by researchers around the world.

At publication, it has been twelve weeks since the attack, and patrons can only
access the library’s main catalogue, in a “read-only ” format. The British
Library is one of the world’s largest and most prestigious libraries, with an
estimated 170 to 200 million items.

According to the Library’s Chief Executive, Sir Roly Keating, the attack also
took down several of their other core digital services, such as their online
learning resources and their main website. Their main website is still not
restored. Patrons are having to use a temporary, scaled back version of their
website.

Keating described the attack in a December 2023 blog saying: “This was a
ransomware attack, by a criminal group known for such activity, and its effects
were deep and extensive. Our online systems and services were massively
disrupted, our website went down, and we initially lost access to even basic
communication tools such as email. We took immediate action to isolate and
protect our network, but significant damage was already done: having breached
our systems, the attackers had destroyed their route of entry and much else
besides, encrypting or deleting parts of our IT estate. They also copied a
significant chunk of our data, which they attempted to auction online and, a
month later, released most of it onto their site on the dark web. The Library
itself remains a crime scene, with a forensic investigation of our disrupted
network still ongoing. In parallel, our teams are examining and analysing the
almost 600 gigabytes of leaked material that the attackers dumped online –
difficult and complex work that is likely to take months.”

As Keating noted, the Rhysida threat actors not only encrypted many of the
library’s systems, they also stole 600 gigabytes of information from the library
including personal information relating to some of the library’s employees. They
posted images from some of this data on their Dark Web leak site, including
several passport scans and other documents, which appeared to be employment
documents.

On or around November 20, the Rhysida threat actors began their seven-day
auction, giving buyers a deadline for bids ending just before 0800 UTC on
November 27. Their starting bid for the information was 20 Bitcoin, equaling
approximately £590,000.

"With just 7 days on the clock, seize the opportunity to bid on exclusive,
unique, and impressive data," said the message on Rhysida's Dark Web leak site.
"Open your wallets and be ready to buy exclusive data. We sell only to one hand,
no reselling, you will be the only owner.”


RHYSIDA STEALS PERSONAL DATA FROM LIBRARY PATRONS AND EMPLOYEES

Initially, it was believed that the cyberattackers only stole personal data
belonging to the library’s employees, however, on December 18, 2023, the British
Library notified the public that some personal data belonging to users of the
library had also been stolen.

“Last week the attackers released some of our data onto the Dark Web including
some personal user information,” said British Library spokespersons. “We have
contacted our users to alert them to this incident and to offer advice from the
National Cyber Security Centre (NCSC) on how to protect themselves, including
updating their passwords on other systems. Because our systems are still
unavailable, you can’t change the password for our services. However, if you use
the same password for non-British Library services, we recommend that you change
it as a precaution.”

Several of the library’s systems continue to be down, including the library’s
main website. The website states: “We are continuing to experience a major
technology outage, as a result of a cyber-attack. Our buildings are open as
usual, however, the outage is still affecting our website, online systems and
services, as well as some onsite services. This is a temporary website, with
limited content outlining the services that are currently available, as well as
what is on at the Library.” (Figure 2).

Figure 2: The home page of the British Library website as of February 20, 2024.

Library patrons did receive some positive news. On February 9, Library Chief
Executive Roly Keating said, “Although the various manual workarounds that we
have had in place since 15 January may be different from normal, they’ve enabled
us to resume our core responsibility of providing access to the collection. Our
catalogue becoming visible and usable once again has been a key milestone on our
road to recovery, and further improvements will continue to be made in the weeks
and months to come.”

Full restoration of the library’s services could take until the end of the year,
according to library officials.

Figure 3: Offices of Slovenia's power generation company, HSE


RHYSIDA ATTACKS HSE, SLOVENIA’S LARGEST POWER GENERATION COMPANY, OPERATOR OF
HYDROELECTRIC, THERMAL AND SOLAR PLANTS, COAL MINES AND SUBSIDIARIES IN ITALY,
HUNGARY, AND SERBIA

On November 22, 2023, the Rhysida Ransomware Gang hit a very serious target –
the largest power generation company in Slovenia, the Holding Slovenske
Elektarne – HSE (Figure 3). The company is owned by the government of Slovenia
and accounts for 60% of the country’s domestic production. The firm also
operates several hydroelectric, thermal, and solar power plants, as well as coal
mines across Slovenia, and has subsidiaries in Italy, Hungary, and Serbia.

The Rhysida threat actors compromised HSE’s IT systems and encrypted various
files, however, company executives reported that the attack did not disrupt
their electric production saying, “IT systems and files were "locked" by the
"crypto virus,” said Uroš Svete, HSE’s Director of Information Security. “All
power generation operations remained unaffected by the large scale cyberattack,
the impairment is limited to the websites of Šoštanj Thermal Power Plants and
the Velenje Coal Mine.”

Although HSE officials reported that only the “websites of their Šoštanj Thermal
Power Plants and the Velenje Coal Mine” were affected by the attack, the Rhysida
threat actors tell a different story. On Rhysida’s data leak site, the Rhysida
criminals posted samples of what appears to be HSE contracts, invoices, legal
documents, and other financial data.

TRU assesses with high confidence that these documents are authentic and belong
to HSE. Also, from the sample files Rhysida posted to their leak site, one has
to wonder what other information was accessed and how sensitive is that
information (Figure 4).

Figure 4: A note from the Rhysida threat actors posted on their leak site,
describing the information they reportedly stole from HSE

HSE reached out to the National Office for Cyber Incidents at Si-CERT and the
Ljubljana Police Administration and brought in cybersecurity experts to mitigate
the attack and prevent the virus from spreading across all their systems in
Slovenia.

Svete issued a joint statement with the General Manager of HSE, assuring the
public that the situation was under control and that no operational disruption
or significant economic damage was expected due to this incident.


RHYSIDA COMPROMISES LONDON’S KING EDWARD VII’S HOSPITAL AND THREATENS TO RELEASE
DATA ABOUT THE ROYAL FAMILY

In late November 2023, the Rhysida ransomware operators announced on their data
leak site that they had compromised London’s King Edward VII’s Hospital. The
threat actors claimed to have stolen sensitive information about the hospital’s
employees and their patients. They also claimed that some of the stolen data
pertains to members of Britain’s royal family (Figure 5).

Figure 5: A post from the Rhysida threat actors on their leak site, boasting
about information they stole from London’s King Edward VII’s hospital, claiming
it contains data about Britain’s royal family.

King Edward VII’s Hospital is where Elizabeth II, Britain’s late Queen, and her
late husband, Prince Philip, were treated over the years for a variety of health
issues. In 2018, Prince Philip underwent hip replacement surgery and was treated
for a pre-existing condition in 2019.

Meanwhile, Queen Elizabeth II had knee surgery at the hospital in 2003 and was
treated for gastroenteritis in 2013. Princess Kate Middleton was also treated at
the hospital in 2012 for morning sickness and in July 2023, Sarah Ferguson, the
Dutchess of York, underwent surgery for breast cancer, according to news
sources.

The Rhysida threat actors put the stolen data up for auction the first few days
of December, promising to sell it to one buyer only. They asked for payment in
Bitcoin, equaling approximately £300,000 and they threatened if the cache of
information was not purchased by December 5, they would make the data publicly
available.

The National Cyber Security Centre (NCSC), which is part of Britain’s Government
Communications Headquarters (GCHQ), was brought in to help investigate the
attack. GCHQ is one of three UK Intelligence and Security Agencies. An NCSC
spokesman was quoted as saying: “We are working with King Edward VII Hospital to
fully understand the impact of an incident.”

A hospital spokesman stated following the incident: “We recently experienced an
IT security incident involving temporary, unauthorised access to our systems. We
took immediate steps to mitigate the incident’s impact and continued to offer
patient care and services, largely as normal.”

He added: “We also launched a comprehensive investigation, which confirmed that
a small amount of data was copied from part of our IT system. While this was
primarily benign hospital systems data, a limited amount of patient information
was copied, and we are notifying a small subset of our patient database about
this. The vast majority of patients are not affected by this in any way, and we
offer our apologies for any concern this incident may cause.”

Patients who were affected by the attack are being offered free identity and
credit monitoring to help keep them safe from potentially fraudulent activity,
according to one of London’s national news outlets, The Telegraph.

The Rhysida threat actors posted images, on their leak site, of the purported
documents stolen from the hospital. These included pictures of medical reports,
patient admittance forms, physician correspondence, x-rays, and pathology
reports (Figure 6).

Figure 6: An image of a private letter written by a physician with King Edward
VII’s Hospital.

Although TRU has not identified any health data that appears to pertain to the
royal family in the leaked images on Rhysida’s leak site, there is data relating
to other patients, as well as doctors, and supporting medical staff.

A former British military intelligence colonel, Philip Ingram, commented: “Given
the highly sensitive nature of the patients, there will be a degree of pressure
on the hospital to try to stop any of this data being released. Therefore, I
would expect them to explore the possibility of paying the ransom.”

Interestingly, after initially announcing the attack, King Edward VII’s Hospital
does not appear to have provided any further details or updates about the attack
to the press or the wider public.

Not long after Rhysida attacked King Edward VII’s hospital, the threat actors
went after the Abdali Hospital, a 200-bed medical facility in Amman, Jordan in
mid-December. Abdali is a multi-specialty hospital, employing medical
specialists in orthopedics and rheumatology, gynecology, urology and
endocrinology, neurology, nephrology, pulmonology, internal medicine, oncology,
infectious disease, and anesthesiology.

To prove that they had compromised the facility, the Rhysida threat actors
posted images of ID cards, contracts, etc. on their leak site, and stated that
they had a trove of sensitive data they were auctioning off for 10 Bitcoin.
(Figure 7)

Figure 7: Rhysida’s website post threatening to auction off PII belonging to
patients of the Abdali Hospital.

Although the public has not been made privy to the true extent of the damage
from the attacks against King Edward VII’s Hospital and the Abdali Hospital, the
Rhysida criminals have certainly exhibited how ruthless the group can be when it
comes to their attacks against healthcare organisations.


RHYSIDA SHOWS NO MERCY IN ITS ATTACK AGAINST A HEALTHCARE COMPANY’S 16 HOSPITALS
AND 166 CLINICS AND CENTERS

In August 2023, prior to attacking the British Library, Rhysida assaulted
Prospect Medical Holdings (PMH). PMH is a U.S. healthcare corporation operating
16 hospitals in four different states and a network of 166 outpatient clinics
and centers.

During the attack against PMH’s hospitals, clinics, and centers, the Rhysida
threat actors tore through the healthcare company’s IT environment, causing such
concern that the company took down their computer networks, forcing the doctors,
nurses and other hospital staff to revert to using paper charts and pens when
caring for the patients.

The Rhysida gang said on their Dark Web leak site that they stole 1 TB of
documents and 1.3 TB of databases from PMH. The documents were said to contain
corporate documents, patient records and the Social Security Numbers of 500,000
individuals. The attack is believed to have occurred on August 3, with employees
finding ransom notes on their screens stating that their network was hacked, and
devices encrypted.

The ransomware group said it would sell Prospect Medical’s stolen data for 50
Bitcoins, equaling approximately $1.5 million. Almost three months later, after
numerous destructive attacks, the FBI and CISA put out an alert warning critical
infrastructure organisations and others about the group and provided a rundown
of the group’s Techniques, Tactics and Procedures (TTPs) so companies and public
entities can better protect themselves.


RHYSIDA ATTACKS A GLOBAL RELIGIOUS ORGANISATION IN SWITZERLAND

Unfortunately, the Rhysida threat actors did not slow down for the Christmas
holidays. On December 26, Rhysida claimed to have compromised a new victim – The
World Council of Churches (WCC), a worldwide Christian inter-church organization
based out of Switzerland, representing a half a billion people worldwide,
according to the organisation.

Two days later on December 28, the WCC publicly reported, via their website,
that they had suffered a ransomware attack stating: “The World Council of
Churches (WCC) communications systems have been hacked by a ransomware group. In
an initial contact on 26 December, the group hacked the WCC systems and asked
for payment. The group also threatened to share material worldwide and
compromise all the systems.”

Although WCC did not name the criminal group that attacked them, the Rhysida
threat actors came out on January 5 stating that they had attacked the Lutheran
World Federation, one of WCC’s member organisations.

According to security researchers, the Lutheran World Federation confirmed they
had suffered a ransomware attack, and that it was connected to the WCC attack.


RHYSIDA GOES AFTER THE EDUCATION SECTOR, ATTACKING A LONDON HIGH SCHOOL, A U.K.
VOCATIONAL TRAINING SCHOOL AND TWO TOP UNIVERSITIES

Another victim listed on Rhysida’s leak site in the last two months was a
popular high school in London. To prove that the criminals had breached the
school’s IT network, the Rhysida threat actors posted sample copies of school
employee driver’s licenses, student names, parent names, and phone numbers for
numerous parents.

Following the London high school attack, the Rhysida gang went after an
award-winning, educational institution in the U.K which specializes in training
students for careers in Dentistry, Care (Child, Adult and Social), and
Education. They offer nationally recognised vocational qualification programmes,
apprenticeships, mentoring and preparation for employment across England and
Wales. The Rhysida criminals followed their usual Modus Operandi (MO) and posted
to their leak site, samples of employees’ driver licenses and passports.

The Rhysida Ransomware Gang continued its campaign against the education sector,
attacking two large and prominent universities in December 2023, Kaunas
University of Technology in Lithuania and Tshwane University of Technology in
South Africa. Both universities are highly respected and offer undergraduate
degrees, as well as post-graduate degrees in science, technology/engineering,
and business, and are known for their exceptional sciences and technology
departments.

When Rhysida attacked these institutions, the criminals followed their usual MO,
posting to their leak site what the threat actors claimed were faculty members’
passports, driver’s licenses, and other university documents.


RHYSIDA ZEROES IN ON A SECOND TARGET IN THE MIDDLE EAST

In December, the Rhysida Group also focused on targets in the Middle East. In
addition to attacking the Abduli Hospital in Jordan, they claimed to have
compromised a prominent Sports Club in Qatar. As proof, the threat actors posted
the National ID cards for many of the club members. The Qatar National Identity
card is issued by the government to its citizens, residents, and foreign
workers.

The card contains the individuals’ name, photo, date of birth, nationality, and
Qatar ID number. A Qatar ID serves as proof of identity, residency, and is
required to open a bank account, obtain a driver’s license, and access many
government services.

“It is very apparent that when the Rhysida threat actors break into an
organisation, they know exactly what information to go after,” said Keegan
Keplinger, Sr. Threat Researcher with eSentire’s security research team, the
Threat Response Unit (TRU). “They target some of the most valuable, sensitive
data a company or public entity can possess. This is evident by the passports
and other documents containing personal identifiable information (PII) that they
steal,” continued Keplinger.


THE VALUE OF ONE’S PERSONAL IDENTIFIABLE INFORMATION (PII)—CHA-CHING!

“Even if the victim organisation refuses to pay the Rhysida threat actors their
ransom demand, the cybercriminals can easily sell this PII on the underground,”
said Keplinger. “Passports, driver’s licenses, and National Identity Cards are
particularly valuable. With this type of data, a criminal can commit identity
theft and depending on the victim’s credit, they can apply for high-limit credit
cards, open bank accounts, apply for bank loans, purchase expensive cars, etc.”

Criminals who specialize in buying and selling Personal Identifiable Information
(PII) and ‘Fullz’, the slang term for Full Identity Packets, would be
particularly interested in this type of data. Fullz typically include a person’s
name, DOB, a National Insurance number (NI) or Social Security Number (for the
U.S.), an address, email address, and driver’s license number.

The Fullz packets TRU saw advertised on the underground hacker markets for
individuals living in the UK, typically come with a credit card, in addition to
the PII listed above. These UK Fullz + credit card packets are currently being
offered for USD $40 each. TRU saw passport scans for UK and U.S. individuals
being sold from between USD $35 and USD $50.


RHYSIDA’S TACTICS, TECHNIQUES AND PROCEDURES (TTPS)

In November 2023, after numerous destructive attacks, including ones against
U.S. government agencies, the Federal Bureau of Investigation (FBI),
Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State
Information Sharing and Analysis Center (MS-ISAC) put out an alert warning
critical infrastructure organisations and other entities about Rhysida and
provided a rundown of the group’s TTPs so companies and public organisations
could better protect themselves.

The Rhysida Ransomware Group uses process injection, defense evasion, credential
access, discovery, lateral movement, command and control, and impact. They also
employ various commands and software during their attacks, including PowerShell,
wevtutil.exe, secretsdump, cmd.exe, ipconfig, net group, whoami, net localgroup,
net user, nltest, RDP, PuTTy, AnyDesk, and a 4096-bit RSA encryption key,
implementing a ChaCha20 algorithm. For more of Rhysida’s TTPs, see the CISA
security Advisory.


SECURITY PROTECTIONS FOR PREVENTING RANSOMWARE ATTACKS AND MITIGATING POTENTIAL
DAMAGE

Prospect Medical, the British Museum, and other incidents are prime examples of
how companies and public entities must be prepared for a ransomware attack.
Therefore, eSentire's Threat Response Unit (TRU) recommends the following
security steps:

 * Have a backup copy of all critical files and make sure they are offline
   backups. Backups connected to the infected systems will be useless in the
   event of a ransomware attack.
 * Require multi-factor authentication to access your organisation’s virtual
   private network (VPN) or remote desktop protocol (RDP) services.
 * Only allow administrators to access network appliances using a VPN service.
 * Domain controllers are a key target for ransomware actors, so ensure that
   your security team has visibility into your IT networks using endpoint
   detection and response (EDR) agents and centralized logging on domain
   controllers (DCs) and other servers.
 * Employ the principle of least privilege with staff members.
 * Implement network segmentation.
 * Disable RDP if not being used.
 * Regularly patch systems, prioritizing your key IT systems.
 * User-awareness training should be mandated for all company employees and
   focus on:
   * Downloading and executing files from unverified sources
   * Avoiding free versions of paid software
   * Inspecting the full URL before downloading files to ensure it matches the
     source (e.g., Microsoft Teams should come from a Microsoft domain)
   * Always inspect file extensions. Do not trust the filetype logo alone. An
     executable file can be disguised as a PDF or office document.
   * Ensure 24/7 security monitoring and threat response across your environment

If you are not currently engaged with a Managed Detection and Response (MDR)
provider, we highly recommend you partner with us for security services to
disrupt threats before they impact your business. To learn more, connect with an
eSentire Security Specialist.


COMMENTS FROM KEEGAN KEPLINGER, SR. THREAT RESEARCHER WITH ESENTIRE’S SECURITY
RESEARCH TEAM, THE THREAT RESPONSE UNIT (TRU)

“Successful exploitation of the 2020 vulnerability, Zerologon - which affects
typical corporate Windows networks - demonstrates a tendency for organisations
to neglect 'internal vulnerabilities'. These vulnerabilities may not lead to
initial access through remote exploitation, but they can turn a commodity
malware infection into a hands-on intrusion through privilege escalation, even
when accounts with few permissions are the initial source of the infection.”

“Rhysida affiliates have shown a tendency to rely on valid VPN and RDP
credentials for initial access and legitimate admin tools like RDP and AnyDesk
for lateral movement. That means that prior to ransomware deployment, the
affiliates don't use any identifiable malware strains, lowering chances of
detection and attribution. Security researchers have drawn parallels between
Rhysida’s TTPs and Vice Society’s TTPs.”

“Rhysida often targets an organisation’s HR department to exfiltrate personally
identifiable information from employees, including driver’s licenses, passports,
and other forms of identification. From there, the data is first leveraged to
apply pressure on the company, then sold or published.”

“Interestingly, parts of Rhysida’s website appeared broken. The weblinks to the
document leaks portion of Rhysida’s website did not lead anywhere, but their
countdown auctions were fully functioning. It is not clear whether this is a
matter of incompetence, or they are only pretending to publish the data so that
they can sell it at a higher premium. If not shared with anyone else, the data
would have a higher value, as it could facilitate identity theft and financial
fraud.”



ESENTIRE THREAT RESPONSE UNIT (TRU)

The eSentire Threat Response Unit (TRU) is an industry-leading threat research
team committed to helping your organization become more resilient. TRU is an
elite team of threat hunters and researchers that supports our 24/7 Security
Operations Centers (SOCs), builds threat detection models across the eSentire
XDR Cloud Platform, and works as an extension of your security team to
continuously improve our Managed Detection and Response service. By providing
complete visibility across your attack surface and performing global threat
sweeps and proactive hypothesis-driven threat hunts augmented by original threat
research, we are laser-focused on defending your organization against known and
unknown threats.




READ THE LATEST FROM ESENTIRE

Jun 19, 2024

ADSEXHAUST, A NEWLY DISCOVERED ADWARE MASQUERADING AS THE OCULUS INSTALLER

Learn More
Jun 19, 2024

FAKE IT SUPPORT WEBSITE LEADING TO VIDAR INFECTION

Learn More
Jun 13, 2024

SOLARMARKER IMPERSONATES JOB EMPLOYMENT WEBSITE, INDEED, WITH A TEAM…

Learn More

Cookies allow us to deliver the best possible experience for you on our website
- by continuing to use our website or by closing this box, you are consenting to
our use of cookies. Visit our Privacy Policy to learn more.

Accept
ARE YOU EXPERIENCING A SECURITY INCIDENT OR HAVE YOU BEEN BREACHED?
Call 1-866-579-2200


THE PROVEN CHOICE FOR
MANAGED DETECTION AND RESPONSE

GET STARTED → PARTNER LOGIN →


SALES AND
CUSTOMER SUPPORT

NORTH AMERICA 1-866-579-2200 EMEA (0)8000-443242 ANZ/APAC 1-519-651-2200

WHAT WE DO

Managed Detection and Response Digital Forensics and Incident Response Exposure
Management Services Extended Detection and Response (XDR) Security Operations
Center (SOC) Technology Integrations Threat Response Unit (TRU) Cyber Resilience
Team MDR for Microsoft MDR for AWS MDR for GenAI Response and Remediation MDR
Pricing

HOW WE DO IT

Network Endpoint Log Cloud Identity

INDUSTRIES

Insurance Construction Finance Legal Manufacturing Private Equity Healthcare
Retail Food Supply Government and Education

USE CASES

Ransomware Third-Party Risk Sensitive Data Security Cloud Misconfiguration Zero
Day Attacks Cyber Risk Cybersecurity Compliance Do More With Less Cyber
Insurance

RESOURCES

Security Advisories Blog Resource Library Video Library TRU Intelligence Center
Case Studies Switch to eSentire Real vs. Fake MDR Compare MDR Vendors
Cybersecurity Glossary

TOOLS

Cybersecurity Assessment MDR ROI Calculator SOC Calculator MITRE ATT&CK® Tool

COMPANY

About Us Leadership Newsroom Event Calendar Careers Partners Australia & New
Zealand United Kingdom

2024 eSentire, Inc. All Rights Reserved.

Sitemap Terms and Conditions Privacy Policy Accessibility Legal
Get Started

What We Do
How We Do It
Resources
Company
Partners
Get Started
What we do
How we do it
Resources
Company
Partners
Get Started