Rhysida ransomware gang leaks nearly 2TB of data from U.S. manufacturer Gemini Group

The Rhysida ransomware group has released nearly 2 terabytes of data stolen from Gemini Group Inc., a Michigan-based manufacturing firm supplying major automotive companies across North America.

The leaked dataset, totaling 1.9TB and containing more than 1.7 million files, appeared on the gang’s dark web site following a one-week countdown that began in late October. The attackers had previously claimed to have infiltrated Gemini Group’s systems and exfiltrated extensive corporate and employee records.

The exposed information includes payroll and vacation balance documents, health insurance data, invoices, customer lists, and internal templates. Also among the leaked materials are employee personal files containing full names, Social Security numbers, home addresses, dates of birth, and salary details. The compromised data places current and former employees at risk of identity theft, financial fraud, and social engineering attacks.

In addition to sensitive employee data, the breach revealed detailed business records such as purchasing reports, client contact information, and vendor health insurance documents. Such exposure could create operational and competitive risks for the company, which employs more than 1,400 people and generates approximately $300 million in annual revenue.

Gemini Group, headquartered in Bad Axe, Michigan, operates 18 facilities across the United States and Mexico. The company provides plastic extrusion, blow molding, and metal tooling services, with its components used by leading automakers including Ford, Toyota, and General Motors.

The Rhysida gang, a Russia-linked ransomware collective active since mid-2023, has targeted a range of industries worldwide, from healthcare and education to government and manufacturing. The group typically uses a “double extortion” method, stealing data before encrypting systems and threatening to publish stolen information if ransom demands are not met.

Rhysida’s past operations have included attacks on the Maryland Department of Transportation, Peru’s government systems, the Cookville Regional Medical Center in Tennessee, and the Seattle-Tacoma International Airport. The group has also been associated with phishing campaigns distributed through Microsoft Teams, Zoom, and other collaboration tools, designed to deliver malware and gain unauthorized network access.