Ransomware gang Rhysida today claimed responsibility for a cyber attack last week at the the Oregon Department of Environmental Quality.
The Oregon DEQ on April 9, 2025 said it was investigating a cyber attack on its enterprise information services that forced the department to shut down its email system, computer workstations, help desk, and vehicle inspection stations. Most of those services were brought back online by April 14.
“Enterprise Information Services is investigating a cyberattack within the Oregon Department of Environmental Quality. We are in the process of shutting down networks to provide isolation for the agency servers and network until the attack is totally contained and potentially eradicated,” the department announced on April 9, 2025.
DEQ’s most recent announcement states that there is no evidence of a data breach, but Rhysida says it breached the DEQ and stole more than 2.5 TB of data.
The ransomware group demands the department pay 30 bitcoin in ransom (worth about $2.7 million at time of writing) within seven days. To prove its claim, the group posted sample images of what it says are documents stolen from the department. They include Social Security cards and passport scans, among other documents.
The Oregon DEQ said at the time that it didn’t receive a ransom demand, and it has not verified Rhysida’s claim. We don’t know exactly what data was compromised, if the DEQ did or will pay a ransom, or how attackers breached the DEQ’s network. Comparitech contacted the Oregon DEQ for more info and will update this article if it replies.
Who is Rhysida?
Rhysida is a ransomware group that first surfaced in May 2023. Its ransomware can steal data and lock down targeted systems. It then demands a ransom both for deleting stolen data and for a key to restore infected systems. Rhysida operates a ransomware-as-a-service business in which affiliates pay Rhysida to use its malware and infrastructure to launch attacks and collect ransoms.
Rhysida claimed 86 confirmed ransomware attacks since it began, compromising more than 5.4 million records. It made another 104 attack claims that haven’t been acknowledged by the targeted organizations. Its average ransom demand is $1.07 million.
The attack on the Oregon DEQ is Rhysida’s third confirmed attack of 2025. The other two were against talent agency The Agency and pawn shop chain Best Collateral.
Rhysida has claimed 18 confirmed ransomware attacks on US government entities, including a high-profile attack in 2024 on the Seattle-Tacoma International Airport. The airport notified 90,000 people of the breach, and Rhysida demanded $5.8 million in ransom for their data.
Ransomware attacks on US government
In 2025 so far, Comparitech researchers have logged 15 confirmed ransomware attacks on US government entities, plus 22 unconfirmed claims.
Other recent such attacks include those on the State Bar of Texas and Gooding County, ID.
In a similar attack, last week, ransomware group Qilin claimed responsibility for a late 2024 attack on the North Platte Natural Resources District in Nebraska.
In addition to data theft, ransomware attacks on US government entities can disrupt computer access to essential services, payments, communications, and stored files. Officials must then either pay a ransom or face extended downtime, data loss, and putting constituents at increased risk of fraud.
About the Oregon Department of Environmental Quality
Headquartered in Portland, the Oregon Department of Environmental Quality is tasked with protecting the state’s natural resources, managing sanitary and toxic waste disposal, and administering Oregon’s pollution laws. It employs about 700 people, according to external sources.
