The government of Columbus, Ohio said it is aware of claims made by a ransomware gang that troves of sensitive city information are available for sale. The Rhysida ransomware group took credit on Wednesday for the 18 July, threatening to leak 6.5 terabytes of exfiltrated information from the city’s systems allegedly containing emergency services data, access to city cameras and more.
A city spokesperson said late last week they are aware of the matter but could not comment, adding that the situation is “both serious and ongoing.” The spokesperson said they could not share further details because they are supporting “an effective investigation” and need to “protect our IT infrastructure and confidential information.” When asked about the potential for city employee data to have been leaked, the spokesperson explained that those affected will be contacted and given additional guidance. She could not provide a timeline for when more information will be released.[1]
The comments come after the city published a statement on 29 July claiming they had “thwarted” the ransomware attack and were able to “significantly limit potential exposure. While the threat actor’s activity was disrupted, an investigation is ongoing to determine the amount of city data potentially accessed,” the statement acknowledged.
The hacker gained access to the city’s systems “through an internet website download and not an email link, as was originally believed to have been the access point,” city investigators said. The FBI and the Department of Homeland Security have been involved in the response since the attack was discovered on 18 July.
Columbus mayor Andrew Ginther said the city was “the victim of a crime committed by an established, sophisticated threat actor operating overseas. We continue to focus on restoring city services,” he said. “We appreciate the grace our residents have offered us and the dedication of our employees working to keep our city running.” The city’s department of technology is working with federal authorities and experts to go through each technology system before they are brought back online.
Government email access has been restored after more than a week of outages. 911 as well as 311 have been able to remain operational throughout the recovery process.
Rhysida ransomware actors continue a streak of ruthless attacks against childrens’ hospitals, churches, libraries, governments and industry-leading companies. The gang most recently offered for sale the Social Security numbers and financial account information of thousands of students attending New Jersey City University.
Rhysida is offering the alleged data from the government of Columbus for 30 BTC — about $1.9 million and set a ransom deadline of one week.
Rhysida first became active around May 2023, according to the federal Cybersecurity and Infrastructure Security Agency (CISA). They were behind an attack on the British Library in the UK in Nov. 2023, a breach of the Chilean army in May 2023 and an attack on video game developer Insomniac Games that led to the company's confidential data being leaked online. The group uses "double extortion" tactics, demanding a ransom payment to decrypt data and threatening to publish the stolen data unless the ransom is paid, according to the CISA.[2] The group may be run by the same individuals behind another ransomware group, Vice Society, that mainly targets educational institutions, according to the CISA.
The group's members are likely Russian speakers based in the country, which does not extradite criminals to the US except during rare prisoner swaps. Jarvis said that cyber criminals there operate with a "tacit endorsement" from the Russian government. "(The Russian government) says, 'If you don't attack us or our allies, then you can basically have free rein throughout the rest of the world, and you can operate from here, and you're not likely to be arrested,'" he said.
Even when law enforcement successfully identifies a member of a ransomware group, they may have to wait years before the hacker travels outside of Russia to arrest and extradite them, Jarvis added.
See: https://redskyalliance.org/xindustry/qakbot-down-but-rhysida-is-not
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC).
For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424
[1] https://therecord.media/colombus-investigating-data-leak-ransomware-attack/
[2] https://www.msn.com/en-us/news/us/rhysida-ransomware-group-takes-credit-for-columbus-cyberattack-auctions-stolen-data/ar-BB1r1vDp/
Comments