600 GB, 20 Bitcoin, 90 Days Offline
Inside the British Library Ransomware Siege
How the Rhysida gang turned a national treasure into a cautionary tale that cost £7 million and froze academic research for months
"At 23:29 on 25 October 2023 it took the Rhysida gang one stolen password to encrypt centuries of knowledge and lock the largest library on Earth out of its own digital shelves for three months."
48 Hours That Deleted History
| Date / Time (GMT) | Event |
|---|---|
| 25 Oct 23:29 | Affiliate logs in to Terminal Services server (deployed 2020 for Covid remote work) without MFA |
| 26 Oct 01:15 | Security team blocks suspicious account, resets it, re-enables same account later that morning—missed kill-chain moment |
| 28 Oct 01:30 | 440 GB of outbound traffic detected; attackers already exfiltrating HR, payroll & reader CRM via Robocopy / SQLCMD / Rclone |
| 28 Oct 09:54 | Public tweet: "Technical issues affecting our website"—Wi-Fi, catalogue, phone lines, card readers dead |
| 31 Oct | Library admits cyber-attack; NCSC & private forensics called in |
| 16 Nov | Rhysida posts sample scans (passports, HMRC letters); 20 BTC ransom demanded (≈ £600k) |
| 27 Nov | Deadline passes; 573 GB (≈ 490k files) dumped free on dark web—90% of haul |
| 15 Jan 2024 | Read-only catalogue finally back online—82 days after first outage |
| 5 Jan 2024 | Board reveals £6–7m recovery bill—40% of the Library's entire cash reserves |
When the UK's Memory Bank Goes Dark
How Rhysida Turned a Library into a Crime Scene
| MITRE Tactic | Technique Used | British Library Reality |
|---|---|---|
| Initial Access | T1078 Valid Accounts | Stolen domain creds on RDP gateway (no MFA) |
| Execution | T1059.003 Windows Command Shell | Robocopy / SQLCMD to stage files |
| Exfiltration | T1048.002 Exfil Over Web Service | Rclone to Mega.io—440 GB in 24h |
| Impact | T1486 Data Encrypted for Impact | BitLocker + Rhysida binary deployed; some servers wiped to hinder rebuild |
A Perfect Storm of "We'll Get to It Later"
Risk flagged in 2020, "consequences under-appraised"
Finance, HR, digital-collections on same VLAN → lateral movement paradise
Windows 2008 R2 & end-of-life apps meant no vendor patches & no clean rebuild images
Between old systems inflated sensitive-data footprint—more files to steal
Why Culture Crumbled Faster Than Code
"The British Library attack is a textbook example of legacy overload + MFA apathy. Attackers didn't need a zero-day—they needed one reused password and a weekend."
MFA is not a "nice-to-have" for cultural institutions—it's the dead-bolt on the nation's attic.
Five NIST Controls That Would Have Kept the Lights (and Laptops) On
| Control | NIST CSF ID | Fix |
|---|---|---|
| Phishing-resistant MFA | PR.AC-7 | FIDO2 keys for all remote-desktop gateways—no SMS, no excuses |
| Network segmentation | PR.AC-5 | Micro-segment HR/finance from reader-facing catalogue; use zero-trust SDP |
| Immutable backups | PR.IP-4 | Daily Veeam copy to offline tape + cloud-object-lock; test monthly bare-metal restore |
| Legacy-system retirement | PR.IP-9 | Force EoL servers onto isolated legacy VLAN with strict ACLs; migrate to SaaS catalogue |
| Vendor incident SLA | RS.CO-2 | Insert 72-hour breach-notification clause; financial penalties for each day of delay |
The Cultural Heritage Crisis
Rhysida spent three days rummaging through 600 GB of the UK's cultural genome, but the initial breach took seconds—the moment an unprotected Terminal Services session accepted a single-factor log-in.
If the guardian of 170 million items can be forced to spend half its cash reserves to reboot civilization, what treasures are you protecting with yesterday's locks?
"How many centuries of knowledge are 39 seconds away from digital darkness?"
References
Protect Your Legacy Systems Before It's Too Late
Don't let legacy vulnerabilities become your organization's downfall. Get a comprehensive security assessment and modernize your defenses against sophisticated ransomware attacks.