British Library Rhysida ransomware (2023)
Rhysida ransomware operators destroyed servers, demanded ~£600,000, and leaked 600 GB of internal data when the British Library refused to pay. The main catalogue did not return online — read-only — until January 2024. Recovery is consuming 40% of the Library's financial reserves.
- Victim
- British Library
- Loss
- $8.5M
In late October 2023, the British Library — the UK's national library, custodian of the legal-deposit copy of every book published in Britain — was knocked offline by Rhysida ransomware. It became one of the most painfully prolonged cyber recoveries in UK public-sector history, and the Library's openness about what went wrong has since shaped how other heritage institutions plan for ransomware.
What happened
Rhysida is a Ransomware-as-a-Service operation that first appeared in May 2023. Its affiliates targeted critical infrastructure — schools, hospitals, ministries — and the British Library fit the pattern.
The Library's own post-incident review concluded that the initial access most likely came via phishing, spear-phishing or brute-force facilitated by a compromise of third-party contractor credentials, abetted by a lack of multi-factor authentication on those third-party accounts. Inside, Rhysida's affiliates destroyed servers to inhibit recovery and forensic analysis — a destructive flourish unusual at the time but increasingly common since.
Rhysida demanded 20 BTC (~£596,000) and listed the British Library on its leak site. The Library refused to pay; in November 2023 Rhysida published approximately 600 GB of stolen material online, including HR records and internal operational documents.
The technical recovery exposed a deeper problem: decades of accumulated legacy IT that made simple migration to the cloud impossible without redesign. The Library's main catalogue did not return until 15 January 2024, and even then only in read-only form. Recovery is consuming roughly 40% of the Library's financial reserves (~£6–7 million).
Impact
- Online catalogue and most digital services offline for months.
- ~600 GB of internal data leaked publicly.
- Recovery cost estimated at £6–7 million (~40% of financial reserves).
- Triggered an 18-month strategic modernisation programme ("Rebuild & Renew").
Why it matters
The British Library did three rare things after the attack: it refused to pay, it published a detailed post-incident review, and it shared the lessons widely so other institutions could learn. The case is now a fixed reference point for what ransomware can do to cash-constrained, legacy-IT-bound public institutions — and for the specific exposure of third-party contractor accounts without MFA.
Financial impact
Reported costs in USD
- Remediation$8.5M
Timeline
Rhysida ransomware operators detonate against British Library systems, encrypting servers and exfiltrating data. The Library's online catalogues go offline.
Rhysida demands 20 BTC (~£596,000 at the time) and threatens to publish stolen data.
The Library refuses to pay; Rhysida publishes approximately 600 GB of internal data, including HR records and operational documents.
The Library transitions from crisis response to a formal 'Rebuild & Renew' programme — an 18-month strategic modernisation effort.
Main catalogue returns online in read-only format. Most other services remain unavailable for months.
Recovery costs estimated at £6–7M, roughly 40% of the British Library's financial reserves.
Sources
- en.wikipedia.orghttps://en.wikipedia.org/wiki/British_Library_cyberattack
- computerweekly.comhttps://www.computerweekly.com/news/366566355/British-Library-catalogues-back-online-after-ransomware-attack
- computerweekly.comhttps://www.computerweekly.com/news/366573453/British-Library-opens-up-over-ransomware-attack-to-help-others
- theregister.comhttps://www.theregister.com/2024/03/11/british_library_slaps_the_cloud/