Full Report
Dysruption Hub reports: The Cheyenne and Arapaho Tribes of Oklahoma say a ransomware attack forced them to shut down tribal computer networks, disrupting email and phone service and temporarily suspending some operations as systems are restored and investigators work the case. Tribal Gov. Reggie Wassana said in a statement that the tribes were “targeted by a ransomware... Source
Analysis Summary
# Incident Report: Rhysida Ransomware Attack on Cheyenne and Arapaho Tribes
## Executive Summary
The Cheyenne and Arapaho Tribes of Oklahoma were targeted by a ransomware attack that forced a proactive shutdown of tribal computer networks. The incident resulted in the widespread disruption of email and phone services and the temporary suspension of governement operations. While the Rhysida ransomware group has claimed responsibility and listed tribal data for auction, investigators are currently working to determine the full extent of the data compromise.
## Incident Details
- **Discovery Date:** February 18, 2026 (Public disclosure)
- **Incident Date:** Mid-February 2026
- **Affected Organization:** Cheyenne and Arapaho Tribes of Oklahoma
- **Sector:** Government / Tribal Administration
- **Geography:** Oklahoma, USA
## Timeline of Events
### Initial Access
- **Date/Time:** Exact time undisclosed; reported February 18, 2026.
- **Vector:** Unknown (Rhysida typically utilizes phishing or compromised VPN/RDP credentials).
- **Details:** Attackers gained sufficient access to deploy ransomware, prompting a network-wide shutdown.
### Lateral Movement
- **Details:** Not explicitly detailed in initial reports, though the impact on both email and phone systems suggests movement across converged IT/VoIP infrastructure.
### Data Exfiltration/Impact
- **Details:** Threat actors claim to have exfiltrated sensitive data; the Rhysida group has listed the organization on an auction site for 10 BTC (with 6 days remaining on the clock).
### Detection & Response
- **How it was discovered:** System malfunctions and service disruptions.
- **Response actions taken:** Tribal leadership suspended operations and took networks offline to contain the spread.
## Attack Methodology
*Note: Specific technical details are based on Rhysida group's known TTPs as information from the Tribe is pending.*
- **Initial Access:** Often via compromised credentials or vulnerable external-facing assets.
- **Persistence:** Use of PowerShell scripts and scheduled tasks.
- **Privilege Escalation:** Exploitation of Windows vulnerabilities or credential harvesting.
- **Defense Evasion:** Deletion of shadow copies; disabling of security software.
- **Credential Access:** Harvesting from local memory or domain controllers.
- **Discovery:** Identifying high-value servers and sensitive file shares.
- **Lateral Movement:** Remote Desktop Protocol (RDP) and PowerShell Remoting.
- **Collection:** Aggregation of sensitive administrative and identity documents.
- **Exfiltration:** Exfiltration to cloud storage providers or dedicated C2 servers prior to encryption.
- **Impact:** Encryption of files using the .rhysida extension and total disruption of communication availability.
## Impact Assessment
- **Financial:** Total cost unknown; attackers demanding 10 BTC (approx. $1M+ USD depending on market rates) to prevent data release.
- **Data Breach:** Scope currently under investigation; potential exposure of tribal member and government data.
- **Operational:** HIGH; Shutdown of email, phone services, and general government functions.
- **Reputational:** Moderate; Public acknowledgement by Governor Wassana used to maintain transparency with tribal members.
## Indicators of Compromise
- **Network indicators:** hxxp[://]rhysida[.]xyz (Defanged Tor leak site)
- **File indicators:** Files renamed with the **.rhysida** extension.
- **Behavioral indicators:** Mass deletion of volume shadow copies (vssadmin.exe) and abnormal outbound traffic to file-sharing sites.
## Response Actions
- **Containment measures:** Isolation of infected systems and full shutdown of tribal computer networks.
- **Eradication steps:** Ongoing forensic investigation by tribal IT and federal authorities.
- **Recovery actions:** Restoration of systems from backups is currently underway; phone and email services are being brought back online in phases.
## Lessons Learned
- **Key takeaways:** Critical infrastructure (phones/email) often share the same network dependencies as general IT, leading to total operational paralysis during a ransomware event.
- **What could have been done better:** Implementation of air-gapped backups and network segmentation could have limited the "all-or-nothing" nature of the system shutdown.
## Recommendations
- **Multi-Factor Authentication (MFA):** Enforce phishing-resistant MFA across all remote access points (VPN/RDP).
- **Segmentation:** Separate VoIP and critical communications infrastructure from the general administrative data network.
- **Incident Response Planning:** Develop offline communication protocols to be used when phone and email systems are compromised.
- **Endpoint Protection:** Deploy Endpoint Detection and Response (EDR) tools to identify unauthorized PowerShell execution or shadow copy deletion.