British Library — Rhysida ransomware

What happened

On 28 October 2023 Rhysida ransomware was deployed across the British Library’s systems, encrypting servers and taking core digital services offline. The British Library is the national library of the United Kingdom, holding over 170 million items including manuscripts, books, journals, and digital collections, and providing services to millions of users annually. The loss of its online catalogue, electronic document delivery, and reading-room support systems had immediate consequences for researchers, academics, libraries, and institutions across the world that relied on its services.

The Library confirmed the ransomware attack publicly within days. Rhysida exfiltrated approximately 600 gigabytes of data including HR records relating to Library staff, and listed the data for sale in a dark-web auction with a ransom demand of 20 bitcoin (approximately £596,000 at the time). The Library’s board decided not to pay. Rhysida published the data publicly after the auction failed to attract a buyer.

Recovery was slow and expensive. The Library’s IT estate included substantial legacy infrastructure — systems that could not simply be rebuilt on modern platforms and that required careful assessment before restoration. More critically, the Library’s backup architecture had not been effectively segregated from the production network, meaning that backups were also encrypted in the attack and could not be used for rapid recovery. Significant services remained degraded or unavailable through much of 2024. The total recovery cost was estimated at £6–7 million, representing a substantial fraction of the Library’s annual operating budget and funded partly through an emergency government grant.

In March 2024 the British Library published its “Learning Lessons from the Cyber-Attack” review — a document of remarkable candour for a UK public body, written explicitly to share the Library’s experience with peer organisations across the public sector. The review has been widely cited in NCSC guidance and parliamentary discussions of public-sector cyber resilience.

How it worked

The British Library’s incident review identifies the entry point with precision. The attackers gained access through a Terminal Services (Windows Remote Desktop) server that was internet-exposed for legacy operational reasons. This server was used by a third-party IT contractor who needed remote access to perform system maintenance. The contractor’s account did not have multi-factor authentication enabled. The attacker obtained or guessed the account credentials and used them to authenticate directly to the exposed Remote Desktop server, gaining a foothold on the Library’s internal network.

From that initial foothold, the attacker had relatively unconstrained lateral movement because the Library’s network was largely flat — there was limited internal segmentation between different parts of the organisation’s infrastructure. The review describes the network architecture as having insufficient separation between systems of different sensitivity and function, meaning that access obtained through one entry point translated readily into access across the estate. The attacker moved laterally, escalated privileges, and eventually reached the systems that controlled the Library’s primary storage and services.

The ransomware was deployed after a period of reconnaissance and lateral movement — consistent with the Rhysida group’s documented pattern of establishing broad access before triggering encryption. Data exfiltration preceded the ransomware deployment: the 600GB of stolen data was extracted before the encryption payload ran, following the now-standard double-extortion model in which attackers both encrypt and steal to create two separate pressure points.

The backup architecture failure compounded the recovery problem significantly. Backups that are accessible from the same network as production systems can be encrypted by ransomware alongside production data; a backup that cannot be reached from the production environment at the moment of an attack is the only backup that is reliably recoverable. The Library’s backups were not adequately segregated, leaving recovery dependent on partial offline copies and slow reconstruction of systems from component parts.

Rhysida is assessed as a ransomware-as-a-service operation that emerged in 2023. It has targeted healthcare, education, and public-sector organisations in the UK, US, and elsewhere. The group’s operations are characterised by the use of legitimate remote-access tools for initial access, broad lateral movement via built-in Windows capabilities, and double-extortion. CISA and the UK NCSC have both published guidance specifically addressing Rhysida TTPs.

Timeline

• 28 October 2023 — Rhysida ransomware deployed across British Library systems; core digital services go offline.
• Early November 2023 — British Library publicly confirms ransomware attack; describes extent of service disruption.
• Mid-November 2023 — Rhysida lists 600GB of stolen British Library data for auction on darknet site, demanding 20 bitcoin.
• Late November 2023 — Auction deadline passes without buyer; Rhysida publishes the data publicly.
• December 2023 – early 2024 — Library undertakes lengthy recovery process; legacy infrastructure presents rebuilding challenges; services remain degraded.
• March 2024 — British Library publishes “Learning Lessons from the Cyber-Attack” incident review.
• Throughout 2024 — Catalogue and online services progressively restored; full recovery not complete until late 2024 at earliest.
• Recovery cost — Estimated £6–7 million; emergency government funding provided to supplement Library budget.

What defenders should learn

The British Library case has an unusual dual legacy: it is both a cautionary tale about preventable security failures and a model for post-incident transparency. The failures are clearly documented in the Library’s own review, which makes this case more pedagogically useful than most.

The entry point — an internet-exposed Remote Desktop server with a third-party account lacking MFA — represents a combination of failures that appears repeatedly in ransomware incidents. Remote Desktop Protocol (RDP) exposed directly to the internet is one of the most consistently exploited initial access vectors in the ransomware ecosystem. Any RDP or Terminal Services access should sit behind a VPN or zero-trust network access gateway, not be directly internet-reachable. Third-party accounts with privileged access should be subject to the same MFA requirements as internal accounts — contractor access is not a lower-risk category just because the contractor is external. The combination of internet-exposed RDP plus no MFA on a privileged account is effectively an invitation.

Network segmentation directly determines blast radius. The Library’s flat network meant that a foothold in one system translated into access across the estate. The counterfactual — a network where different functions are isolated from each other with access controls between them — does not prevent a breach, but it limits what an attacker can reach from any single entry point and forces them to conduct visible lateral movement that detection systems can identify. For organisations with large legacy infrastructure footprints, full microsegmentation may not be achievable quickly, but isolating the most sensitive systems and the most critical operational platforms from the general network is a tractable priority.

The backup architecture lesson is perhaps the most operationally important for any organisation planning its cyber resilience posture. The principle is simple: a backup that can be reached from the production network at the moment of a ransomware attack will be encrypted. An offline backup — physically disconnected, air-gapped, or on immutable storage that the ransomware cannot reach — will not. Recovery time after a ransomware incident is largely determined by whether usable backups exist. The British Library’s extended multi-month recovery was a direct consequence of backup accessibility. Every organisation should be able to answer the question “if ransomware encrypted everything on our network right now, what would we recover from, and how long would that take?” with a tested, documented answer — not an assumption.

The Library’s decision to publish a detailed and honest post-incident review is itself a lesson and a challenge to the sector. The review named the specific entry point, described the network architecture failures, acknowledged the backup shortcomings, and addressed the governance questions about why known vulnerabilities had not been addressed. This level of transparency is uncomfortable and runs counter to the instinct to limit reputational damage. But it produced a document that is now standard reading in UK public-sector cyber teams and has almost certainly improved the defensive posture of organisations that read it and acted on its findings. The broader sector benefit of a candid post-incident review substantially exceeds the marginal reputational cost to the institution. Organisations that have experienced significant incidents should consider whether the publication of a similarly honest account serves a public-good function that outweighs internal reluctance to disclose.