Hours counting down on deadline before ransomware group leaks Columbus data

August 8, 2024 Vaseline blog 0

Hours counting down on deadline before ransomware group leaks Columbus data

COLUMBUS, Ohio (WCMH) — City employees are sharing frustration, confusion and fear Wednesday evening, as questions about the ransomware attack against the City of Columbus almost three weeks ago went unanswered.

The Rhysida ransomware group claimed responsibility for the hack on Columbus’ systems, and while the mayor said IT staff were able to stop them from encrypting and locking employees out, he admitted that the hackers accessed and may have taken personal data. Rhysida’s onion site on the dark web advertises it stole 6.5 terabytes, including passwords and copies of the city’s servers and databases.

Multiple cybersecurity experts confirmed for NBC4 that Rhysida is holding an auction asking for 30 bitcoin — or $1.7 million — that ends at 5:35 am Thursday. The contents of the data are something the city said it won’t reveal, to protect the integrity of an investigation involving the FBI and the US Department of Homeland Security.

Rhysida restarted an auction for stolen City of Columbus data on the group’s dark web onion site. (Courtesy Photo/Daniel Maldet)

After at least a dozen Columbus officers reported their bank accounts were tampered with, the city announced free credit monitoring services for its employees. Officials noted they should be receiving enrollment instructions in the mail on Wednesday, hours after the auction was originally supposed to end. The enrollment instructions also may arrive only hours before Rhysida’s extended deadline, but the local chapter of the Fraternal Order of Police said its members hadn’t seen anything arrive yet.

“They have announced intent, but no pathways to sign up at Columbus city’s expense,” said Executive Vice President Brian Toth.

Man who ran school background checks charged with possessing sexual materials

One of those cybersecurity experts, CMIT Solutions’ Daniel Maldet, showed NBC4 Investigates the Rhysida group’s site on the dark web. Screenshots showed filenames hinting they contained pay grade rates, addresses, and employee Social Security numbers. Rhysida also claims it has city video cameras, databases and servers.

Almost like a shopping website, Rhysida advertises other organizations that have been hacked in a list. Some victims’ information was sold, while others that never secured a bidder were publicly dumped.

NBC4 Investigates spoke with the New Mexico Public Defender’s Office, which was also hacked by Rhysida. He said Columbus is a big get for this group, but it’s by no means the first.

While it is not a whole city, the office said it has taken weeks to recover. They have entered their seventh week working to pick up the pieces.

  • Rhysida begins leaking stolen data from the City of Columbus on the group’s dark web onion site. (Courtesy Photo/Daniel Maldet)

  • Rhysida’s dark web onion site shows a dead page after clicking the link to access leaked data from the City of Columbus. (Courtesy Photo/Daniel Maldet)

The Columbus auction was previously supposed to end at 5:35 am Wednesday morning, according to NBC4’s cybersecurity sources. When that timer ran out, the group started to upload the stolen data as a public leak. But all of a sudden, Rhysida extended the auction and the link to the data was never made available.

Maldet shared why he thinks the Rhysida group is giving buyers more time.

“Maybe they feel that there is an opportunity to sell it,” Maldet said. “Even though it didn’t sell up until this point, we don’t know what kind of offers it may have gotten. So I’m guessing that they do have some valuable data there and they feel that it’s worth selling versus releasing.”

NBC4 Investigates reached out to multiple city officials, each one directed back to the mayor’s office, who said he would make time for an interview once they had “their arms wrapped around the situation.”

Big Lots stores in Ohio among 315 locations closing as bankruptcy looms

In some cases, organizations that are hacked pay the ransom to recover their data, but Maldet said that’s not a good idea.

“The general suggestion is to never negotiate with the threat actors, never pay a ransom,” Maldet said. “We know that it happens, though, and businesses do that because that’s the easy way out. That’s the way to get back in business quickly, especially if they’re not prepared ahead of time for something like this.”

He noted every city employee or resident who has a city account should change their passwords immediately and set up two-factor authentication.

Copyright 2024 Nexstar Media, Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.

For the latest news, weather, sports, and streaming video, head to NBC4 WCMH-TV.