Oregon DEQ Cyberattack: Rhysida Ransomware Group's Claims and the Truth Behind the Attack

The Oregon Department of Environmental Quality (DEQ) recently became the target of a cyberattack, sparking a fierce debate between the agency and the notorious Rhysida ransomware group. As the DEQ attempts to contain the incident, the group claims they’ve exfiltrated over 2.5 terabytes of data from the agency, but the DEQ denies any breach. This situation highlights the complexity of modern cyberattacks and the challenges organizations face in defending sensitive information.

On April 9, 2025, the Oregon DEQ acknowledged a cyberattack that forced the agency to take several of its networks offline in an effort to limit the damage. The attack caused disruptions to various operations, including vehicle inspection stations, email services, and help desk systems. However, the DEQ stated that their environmental data management systems remained unaffected because they were hosted on a separate server. Despite the disruption, the agency has continued to assert that there is no evidence of a data breach.

Rhysida, a notorious ransomware group, made headlines by claiming responsibility for the attack. The group posted an ominous message, suggesting they had stolen over 2.5 terabytes of data from the DEQ, including sensitive employee and SQL data. Rhysida even demanded a ransom of 30 BTC (roughly $2.5 million), stating they would only sell the data to one buyer. The group further added a countdown timer and released a blurry screenshot, supposedly showing part of the stolen data.

However, the lack of solid evidence raises doubts about the group’s claims. The absence of tangible proof—such as multiple sample files—casts doubt on the validity of Rhysida’s assertion. This uncertainty leaves both the public and the agency in a difficult position. In the face of such attacks, individuals and organizations alike must prioritize protecting their personal and professional data through cybersecurity measures.

What Undercode Say:

The DEQ’s denial of a data breach is not unusual in the wake of cyberattacks. The attack itself, while serious in nature, is still under investigation, and it’s possible that the true extent of the breach might not be immediately apparent. The DEQ’s emphasis on no evidence of data exfiltration might stem from an ongoing forensic analysis to determine if any data was actually compromised.

On the other hand, Rhysida’s public claim is not unique to this group. Many ransomware attackers use intimidation tactics, such as posting screenshots or threatening to sell stolen data, to force organizations into paying a ransom. However, the fact that Rhysida only provided one low-quality screenshot and no substantial evidence of the stolen data makes it difficult to assess the true risk of this breach.

Ransomware groups like Rhysida have grown increasingly sophisticated in their methods, including using encrypted communications, leveraging dark web forums, and employing psychological tactics to pressure their victims into paying. In this case, the demand of 30 BTC, approximately $2.5 million, highlights the growing financial motivations behind these cyberattacks.

Despite the

Fact Checker Results:

The claims of Rhysida ransomware group about stealing over 2.5 terabytes of data remain unverified. With no substantial proof provided, it’s impossible to confirm whether the group indeed exfiltrated data from the DEQ. The DEQ’s investigation is ongoing, and as of now, there is no evidence supporting the ransomware group’s allegations.