The Oregon Department of Environmental Quality (DEQ) is still recovering from a recent cyberattack, and while officials haven’t confirmed the full scope of the breach, they’re not ruling out the possibility that a ransomware group like Rhysida may be involved.

The DEQ announced the cyberattack about two weeks ago, initially reporting disruptions to:

• Vehicle smog inspections
• Internal agency emails
• Other online services tied to air, water, and land quality regulation

Since then, DEQ has restored most of its servers, and hundreds of staff are now working from laptops. That’s a notable shift from just last week, when most employees were forced to work from their phones due to a lack of clean devices.

According to agency spokesperson Lauren Wirtis:

• The department has not confirmed Rhysida’s involvement.
• It has not engaged in ransom negotiations with any party claiming to possess stolen data.
• It will share more information once verification is complete.

Rhysida is a name we’ve been hearing more often lately. This ransomware group has been linked to:

• The Seattle-Tacoma International Airport cyberattack
• A breach involving Columbus, Ohio
• Several other government and infrastructure-related targets

While DEQ hasn’t officially confirmed Rhysida’s role here, the group’s pattern of targeting public-sector organizations is consistent with this type of breach.

To prevent reinfection, DEQ is rebuilding all affected servers and employee computers. That includes reimaging devices, scanning for lingering malware, and taking steps to isolate compromised systems before reintroducing them to the network.

This response — while time-consuming — is increasingly standard when dealing with advanced persistent threats or ransomware actors.