A ransomware gang called Rhysida yesterday took credit for a December 8, 2025 cyber attack on the Cheyenne and Arapaho Tribes’ IT systems.
Tribal leadership publicly disclosed the attack on January 7, 2026, and said 80 percent of its systems were operational again one month after the attack.
Rhysida demanded the Cheyenne and Arapaho Tribes pay 10 bitcoin in ransom, worth nearly $700,000, within seven days.
The Cheyenne and Arapaho Tribes have not acknowledged Rhysida’s claim, and Comparitech cannot independently verify it. We do not know what data might have been compromised, if the tribes paid a ransom, or how attackers breached their network. Comparitech contacted the Tribes for comment and will update this article if they reply.
“On or about December 8, 2025, the Tribe’s Information Technology (IT) team identified an attempted cybersecurity intrusion. Although the attempt did not result in any confirmed data loss, tribal leadership acted immediately and decisively to protect tribal member information and critical infrastructure,” says the tribes’ January announcement. “Out of an abundance of caution, all systems were taken offline–not because every system was compromised, but to ensure a comprehensive review and a secure restoration process.”
“As of today, approximately 80% of tribal employee users at the Concho headquarters have had their systems fully restored.”
This isn’t the Cheyenne and Arapaho Tribes first tangle with ransomware. In June 2021, unknown hackers attacked Lucky Star Casino, which is operated by the tribes. No ransom was paid, according to tribal leaders.
Who is Rhysida?
Rhysida is a cybercriminal group that first surfaced in May 2023. Its ransomware can steal data and lock down targeted systems. It then demands a ransom both for deleting stolen data and for a key to restore infected devices. Rhysida operates a ransomware-as-a-service business in which affiliates pay Rhysida to use its malware and infrastructure to launch attacks and collect ransoms.
Rhysida has claimed responsibility for 104 confirmed ransomware attacks since it began, plus 159 unconfirmed attack claims that haven’t been publicly acknowledged by the targeted organizations.
21 of Rhysida’s confirmed attacks hit government entities. Its average ransom demand across those attacks is $1.5 million.
In November 2025, the group took credit for breaching the MACT Health Board, which operates several tribal clinics in California.
Last year, Rhysida also claimed responsibility for cyber attacks on the Oregon Department of Environmental Quality and Maryland’s Department of Transportation.
Ransomware attacks on government
In 2025, Comparitech researchers logged 83 confirmed ransomware attacks on government entities in the US. The confirmed attacks compromised more than 639,000 records and came with an average ransom demand of more than $1 million.
The city of York, PA just reported a July 2025 ransomware attack. The town paid a ransom of $500,000 after the attack shut down its email communications and disrupted parking systems.
Four other local governments confirmed ransomware attacks in 2026:
- Midway, FL
- Winona County, MN
- New Britain, CT
- Tulsa International Airport, OK
Ransomware attacks on government entities can both steal data and lock down computer systems. They can disrupt any number of government systems from bill payments to court records and even emergency dispatch. Governments must pay a ransom for the stolen data and to restore systems, or else they face extended downtime, permanent data loss, and putting data subjects at increased risk of fraud.
About Cheyenne and Arapaho Tribes
The Cheyenne and Arapaho Tribes are a united, federally recognized tribe of Southern Arapaho and Southern Cheyenne people in western Oklahoma. They are headquartered in Concho, Oklahoma and represent more than 12,000 people.
