RansomHub Ransomware Gang Extorts Delaware Libraries in Unprecedented Attack

Published on September 26, 2024
Written by:
Lore Apostol
Lore Apostol
Cybersecurity & Streaming Writer

One of the affiliates of the notorious RansomHub ransomware group attacked a public US library, demanding approximately $1 million in ransom from the Delaware Divison of Libraries (DLC). The attack has led to widespread IT disruptions across the library network, as per American press reports. 

The ransomware-as-a-service (RaaS) malware claims to have leaked a selection of financial documents from Delaware Libraries, showcasing a folder with over 80,000 files totaling 56 GB. The DLC confirmed that the attack did not compromise its catalog, which contains patron information. 

While the extent of the breach is still under investigation, the ransomware group has not claimed to possess any sensitive or personal data, suggesting their access may be more limited than usual.

The organization oversees 35 sites across the state, but despite their significant community value, public libraries are often underfunded, making them an unusual target for such extortion attempts.

Many sites, including the Georgetown Public Library, have reported a shutdown of essential services like internet access, printing, and phone lines. Some locations are dealing with intermittent phone service disruptions, severely affecting their operations.

The Delaware Division of Libraries opted to rebuild their systems rather than capitulate to the ransom demands, and they are collaborating with Microsoft and the Delaware Department of Technology and Information to restore services. 

This incident marks yet another attack by the group, which has already targeted over 200 organizations in just six months. The RansomHub RaaS has been active since February and is known to overlap with other ransomware groups, such as ALPHV (BlackCat) and Knight Ransomware. 

RansomHub released 487 gigabytes of data allegedly exfiltrated from Kawasaki Motors Europe (KME) in early September. The group also exploited Kaspersky's TDSSKiller, traditionally used for identifying rootkits and bootkits, to disable endpoint detection and response (EDR) software and compromise target systems more efficiently.

They also hit Planned Parenthood of Montana and the Halliburton oilfield services giant. Furthermore, Change Healthcare's data breach was also posted on RansomHub’s website, and the recent Patelco Credit Union breach was attributed to the RansomHub ransomware group, which leaked 726,000 customers' data on its extortion portal.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: