© 2025 | Jefferson Public Radio
Southern Oregon University
1250 Siskiyou Blvd.
Ashland, OR 97520
541.552.6301 | 800.782.6191
Listen | Discover | Engage a service of Southern Oregon University
Play Live Radio
Next Up:
0:00
0:00
0:00 0:00
Available On Air Stations

Hackers release millions of files after Oregon DEQ cyberattack

Oregon's Department of Environmental Quality website on April 25, 2025.
April Ehrlich
/
OPB
Oregon's Department of Environmental Quality website on April 25, 2025.

It’s not yet clear if Oregonians’ vehicle registration data is impacted.

A ransomware group has released over a million files that the group says it stole from the Oregon Department of Environmental Quality. The files appear to include sensitive information about DEQ employees.

It’s not clear if private vehicle registration data or other information related to Oregonians who don’t work at DEQ was also stolen.

DEQ announced earlier this month that it had to freeze most of its services after a potential cyberattack. The state agency regulates air quality, toxins, waste and pollution. It also runs vehicle smog inspections that are required for driver registrations in the Portland and Medford areas.

An agency spokesperson didn’t confirm on Thursday how much data was stolen, noting only that an investigation was ongoing.

But by the time of that OPB interview, a well-known and advanced ransomware group called Rhysida had already released 1.3 million files amounting to 2.4 terabytes on the dark web, a part of the internet that’s only accessible through special software.

“We tried to contact them, but they chose to ignore us,” Rhysida’s website read Thursday. “And now their files have been released.”

The landing page for ransomware group Rhysida, which is only accessible through a dark web browser, indicated that a portion of files stolen from the Oregon Department of Environmental Quality had been sold, and the rest was left available for download, on April 24.
Screenshot
/
Rhysida
The landing page for ransomware group Rhysida, which is only accessible through a dark web browser, indicated that a portion of files stolen from the Oregon Department of Environmental Quality had been sold, and the rest was left available for download, on April 24.

Prior to the data release, Rhysida claimed the files were worth 30 Bitcoins, which would be worth about $2.5 million. The hacker group set the clock for a weeklong auction where bidders could name their price for “exclusive, unique, and impressive data.”

By Wednesday, Rhysida’s site indicated a portion of DEQ’s files had been auctioned off to data buyers. The rest was available for anyone to download from the dark web.

Rhysida has targeted multiple organizations in recent years, including the British Library, medical facilities and the Chilean Army. The group also hacked into computer servers run by the Port of Seattle in a breach affecting 90,000 people.

DEQ first announced it was experiencing a potential cyberattack on April 9. The agency shut down most of its services and programs. For the rest of that week, DEQ posted daily updates denying that there had been a data breach.

During that time, employees didn’t have access to their internal network files or email inboxes. Any emails sent to staff between April 9 and 11 were never received, and need to be sent again. Some permitting and public engagement processes were also put on hold.

DEQ also paused vehicle emissions testing, which is required for driver registrations in the Portland and Medford areas. Oregon drivers also couldn’t get their vehicles tested at gas stations, mechanics or other businesses that offer the service, or at state-operated locations. As of Friday, the system that allows businesses to offer emissions testing remained down, but testing has been available at DEQ’s own testing sites since April 14.

It wasn’t until April 15 that DEQ staff said the incident was an “unexpected cyber attack,” rather than a potential attack. The following day, an online tech news website, SecurityWeek, reported that Rhysida had claimed responsibility for the data breach and was giving the agency a week to respond. That was the most information that had so far become available to Oregonians about the nature of the attack.

The Rhysida landing page as of Thursday, April 25.
Screenshot
/

Rhysida

The Rhysida landing page as of Thursday, April 25.

By April 17 — last Thursday — DEQ officials said its employees didn’t have laptops and were working from their phones. On Friday, DEQ said hundreds of its employees were working on laptops.

During Thursday’s interview with OPB, DEQ spokesperson Lauren Wirtis noted that information stored on the agency’s new online portal, DEQ Online, was not affected. DEQ has moved most of its air, land and water quality permitting programs to this portal.

“So in terms of DEQ carrying out its mission to protect air, land and water in the state of Oregon, that is something that we have continued to uphold during this time,” Wirtis said.

Enterprise Information Services, under the Oregon Department of Administrative Services, is investigating the cyberattack.

“The state cybersecurity services is enhancing cyber defense measures to protect DEQ assets and other state enterprise networks in conjunction with the agency services recovery,” Wirtis said in an emailed statement Friday.

April Ehrlich reports on lands and environmental policy for Oregon Public Broadcasting, a JPR news partner. Her reporting comes to JPR through the Northwest News Network, a collaboration between public media organizations in Oregon and Washington.
Public media is at a critical moment.

Recent threats to federal funding are challenging the way stations like JPR provide service to small communities in rural parts of the country.
Your one-time or sustaining monthly gift is more important than ever.