The threat actors behind a recently emerged ransomware operation known as Rhysida have leaked online what they claim are documents stolen from the Chilean Army (Ejército de Chile) network.

The leak comes after the Chilean military confirmed on May 29 that its systems were affected by a security incident detected over the weekend of May 27, according to a statement. share by the Chilean cybersecurity company CronUp.

The network was isolated following the breach, with military security experts initiating the process of recovering the affected systems.

The military reported the incident to the Chilean Computer Security Incident Response Team (CSIRT) of the Joint Chiefs of Staff and the Department of National Defense.

A few days after the revelation of the attack, local media reported that an army corporal was arrested and charged for his involvement in the ransomware attack.

The Rhysida ransomware gang has now released 30% of all the data they claim to have stolen from the Chilean army network after they initially added it to their data leak site and claimed responsibility for the attack.

“Rhysida ransomware released around 360,000 Chilean military documents (and according to them it’s only 30%),” said CronUp security researcher Germán Fernández said.

The Rhysida ransomware gang describes itself as a “cybersecurity team” that aims to help victims secure their networks, and it was first spotted by MalwareHunterTeam May 17, 2023.

Since then, the ransomware group has already added eight victims to its dark web data leak site and released all stolen files for five of them.

According SentinelOne.

Samples analyzed so far show that the gang’s malware uses the ChaCha20 algorithm, and it is still in development, as it lacks features that come by default with most other ransomware strains.

Upon execution, it launches a cmd.exe window, starts scanning local drives and drops PDF ransom note named as CriticalBreachDetected.pdf after encrypting victim files.

Victims are redirected to the gang’s Tor leak portal, where they are asked to enter the unique ID in the ransom notes to access payment instructions.

“The payloads lack many basic features such as VSS removal that are synonymous with today’s ransomware,” SentinelOne says.

“That said, the group threatens victims with publicly releasing the exfiltrated data, bringing them in line with modern multiple extortion groups.”