Ransomware gang says it hacked Goodwill, shut down stores in Texas

Ransomware group Rhysida yesterday claimed responsibility for a November 2024 cyber attack on Goodwill North Central Texas.

Goodwill North Central Texas announced a “company-wide technical issue” on November 10, 2024 that shut down all of its stores. They started reopening on November 13 and all stores were back up and running by November 22.

Rhysida says it stole confidential data from Goodwill, but Goodwill hasn’t acknowledged Rhysida’s claim. Rhysida posted what it says are scans of stolen documents on its leak site as proof of the data breach.

We don’t yet know what data Rhysida claims to have stolen, though the proof pack contains scans of passports and Social Security cards. Goodwill has not stated how many people might be affected, how attackers breached its network, or whether it did or will pay a ransom. Comparitech contacted Goodwill North Central Texas for comment and will update this article if it responds.

In a November 10 Facebook post, the company stated, “Attention Shoppers and Donors… due to a company-wide technical issue, all Goodwill North Central Texas stores are closed until further notice.”

Who is Rhysida

Rhysida is thought to have ties to the ransomware group Vice Society and first surfaced in May 2023. Its ransomware can steal data and lock down targeted systems. It then demands a ransom both for deleting stolen data and for a key to restore infected systems.

Rhysida has claimed 64 confirmed ransomware attacks to date, affecting more than 4 million records. Its average ransom demand is $1.25 million

The group doesn’t shy away from attacks on charitable organizations. Its past targets include Project Hospitality and Maryville Academy, both of which Rhysida attacked in July 2024.

Rhysida’s other recent claims include attacks on Vermilion Parish School System (LA) and Granite School District (UT).

Rhysida claimed another 91 unconfirmed attacks that weren’t acknowledged by targeted organizations.

Ransomware attacks on US retail

Ransomware attacks on US retailers can close down stores, delay shipments, and cut off access to computers used for everything from payroll to phone and email systems. Attackers demand a ransom in exchange for a key to restore infected systems. They might also demand further ransom for not selling or publishing stolen data.

In 2024 so far, Comparitech researchers logged 18 confirmed ransomware attacks on US retail companies. The largest of these was Rhysida’s attack on MarineMax, which led to a breach of 123,494 records. Rhysida demanded $1 million in ransom at the time.

About Goodwill North Central Texas

Goodwill Industries is a non-profit chain of thrift stores that sells donated secondhand goods. The company provides job training and employment placement to people who face employment challenges.

Goodwill North Central Texas operates 26 locations in and around Fort Worth, TX.