Foreign hackers from a group that calls itself Rhysida have begun releasing data stolen from city of Columbus servers onto the dark web, as Mayor Andrew J. Ginther remains mum as to how that may affect city employees and members of the public whose information may have been compromised.
"I can confirm that some of it has," said Daniel Maldet, with the Columbus office of CMIT Solutions, an IT consultant not directly working on the case.
"What I’m seeing are a lot of user profiles — backups from their computers," Maldet said in an email. "I’m also seeing a bunch of database backup files that were probably taken from the servers that Rhysida claims to have stolen.
"They are showing that 3.1 TB (terabytes) of data is released – 258,270 files which is 45% of the stolen data. They show, 'not sold data was uploaded, data hunter, enjoy'. This might suggest that 55% of the data was sold — that’s just a guess."
More on Columbus cyberattack:Rhysida ransomware group takes credit for Columbus cyberattack, auctions stolen data
Ginther spokesperson Melanie Crabill didn't immediately respond to an email Thursday morning asking what the city knows of the data being released, and whether city employees are at risk.
The Dispatch reported Wednesday that the cybercriminals continued to blackmail the city of Columbus over a data breach of city computer files that occurred last month, threatening to publicly release a huge trove of stolen information unless someone purchased it on the dark web for roughly $1.7 million by Wednesday morning. Payment was to be in the form of 30 Bitcoins, the preferred method of cybercriminals because it makes it much harder for authorities to track versus using bank accounts.
But Rhysidalater backed off on its threat, allowing more time for a bidder to step forward, Maldet said.
In fact, in a December report, Forbes noted that the rise of cryptocurrency since 2009 has led to the "ransomware-as-a-service", or RaaS, to thrive, "a quantum leap in the evolution of cybercrime, and both businesses and public infrastructure around the world are paying the price."
Cryptocurrency "made it possible for hackers to buy and sell software and services from each other without disclosing their identity or risking banks freezing their accounts," Forbes reported.
Related cyberattack article:Cybercrime group threatens to release city data on dark web unless $1.7M ransom paid, expert says
Ginther has said almost nothing concerning the hack — which his administration didn't even acknowledge for the first 10 days, before finally reporting in late July that it had "thwarted" an effort to steal city data without giving any details into the apparently up to 6.5 terabytes of information that had already been stolen.
The city has cited an ongoing federal and local criminal investigation for keeping a lid on the totality of the problems, including what systems and data were breached. The city told Columbus police officers in late July that it believed city "data has been accessed" by a "foreign cyberattack,"according to a memo from an assistant police chief.
"Fortunately, the city’s Department of Technology quickly identified the threat and took action to significantly limit potential exposure, which included severing internet connectivity," the July 29 statement from Ginther's office said. "While the threat actor’s activity was disrupted, an investigation is ongoing to determine the amount of city data potentially accessed."
The city said the "incident" occurred July 18, but it isn't clear if that's when the city detected the problem, or if that's when the city's computers were hacked.
Brian Steel, who heads the Fraternal Order of Police Capital City Lodge #9, the union for city officers, said Wednesday that the number of officers who are experiencing issues with identity theft on bank and credit card accounts continues to multiply, "same type of stuff, including retirees," Steel said.
"Once folks signed up for the credit monitoring, it's just dinging constantly - including mine."
But there's no guarantee that paying a ransom — even if such a payment were deemed legal using city tax dollars —would make the city's problems go away, Maldet said.
"They're saying on their site that they have city credentials, user name and passwords of employees," Maldet said Wednesday. "They have video camera footage. And they say they've downloaded two full servers. ... But there is no way to see what's there, because they're preventing anyone from seeing it."
Now at least almost a month after the city acknowledged the hack, city departments were still warning about disruptions on their websites this week.
"Please Note: We are currently experiencing technical difficulties and are only accepting CASH payments for impound releases," Parking Services' website still said on Wednesday afternoon. "Ticket and permit payments may be made online but not processed at our facility. Sorry for the inconvenience."
wbush@gannett.com
@ReporterBush