Linkedin X-twitter
    • November 3, 2025

    Rhysida Targets Martinique & Portugal Governments, Leaks Data

    The Rhysida ransomware group, a notorious cybercriminal organization, has once again targeted government entities, this time leaking sensitive data from the Collectivité Territoriale de Martinique and the Câmara Municipal de Gondomar in Portugal. These attacks, part of a broader campaign targeting the education, healthcare, manufacturing, information technology, and government sectors, highlight the persistent and evolving threat posed by this ransomware-as-a-service (RaaS) group.

    Investigations by Threat Intelligence sources have uncovered a trove of findings related to these breaches, revealing the tactics, techniques, and procedures (TTPs) employed by the Rhysida group. For the Collectivité Territoriale de Martinique, a staggering 10,109 findings were identified, including 9,031 from data breaches, 822 from malware, 190 from the dark web, 54 from the deep web, and 12 from social channels. Similarly, the Câmara Municipal de Gondomar in Portugal had 10,772 findings, with 9,438 from data breaches, 688 from malware, 426 from the deep web, 215 from the dark web, and 5 from social channels.

    These findings paint a grim picture of the group’s methodology. Rhysida actors are known to leverage external-facing remote services, such as virtual private networks (VPNs), for initial access, often using compromised valid credentials. This is consistent with the discovery of credential stuffing lists from October 2025, which contained login details for employees of both the Collectivité Territoriale de Martinique and the Câmara Municipal de Gondomar.

    Once inside a network, the group employs “living-off-the-land” techniques, using native system tools to evade detection. They have been observed using tools like PsExec to disable antivirus programs and deploy PowerShell variants for lateral movement. Mixed malware logs from October 2025 targeting the Collectivité Territoriale de Martinique revealed the use of malware to steal credentials from web browsers, including logins for the entity’s student grant portal.

    A key tactic of the Rhysida group is “double extortion,” where they not only encrypt the victim’s data but also exfiltrate it, threatening to publish the sensitive information if the ransom is not paid. In these cases, the group has followed through on their threats, publishing the data on a Tor-based portal. Both the Collectivité Territoriale de Martinique and the Câmara Municipal de Gondomar were listed on the Rhysida onion site, with multiple entries indicating ongoing data leaks.

    Previous Post
    Next Post
      Recent Posts

      Shenouda.nl is the personal website of Joe Shenouda, a seasoned cybersecurity expert and CISO, dedicated to providing strategic insights into the global cyber threat landscape through threat intelligence analysis. The site features blog posts on current cyber incidents, such as data breaches, hacktivist activities, and geopolitical cyber conflicts, often mapping threats to frameworks like MITRE ATT&CK and offering defense recommendations. It serves as a resource for professionals in the field, combining Joe’s extensive experience in cyber defense with timely analyses of emerging threats.

      Follow us
      Linkedin X-twitter
      Categories
      Our Partners

      Copyright © 2025 Joe Shenouda | Threat Intelligence |

      Linkedin X-twitter