More than 6T of sensitive data allegedly belonging to the City of Columbus, Ohio, is being auctioned off by the Rhysida ransomware group. The gang apparently stole the data during a July cyberattack.
The city had alerted Columbus residents to the July 18th attack on social media and then provided an update on its official government website.
Named after the Italian explorer Christopher Columbus, the midwestern city has a population of just over 900,000 as of 2022.
“The City of Columbus is experiencing a network issue that may be impacting services relying on the city’s internet,” the city posted on X during the attack.
“Critical functions, including 911 and 311, are still operational. We are working to restore additional services to support our residents,” it said.
The City of Columbus is experiencing a network issue that may be impacting services relying on the city’s internet. Critical functions, including 911 and 311, are still operational. We are working to restore additional services to support our residents.
undefined City of Columbus (@ColumbusGov) July 19, 2024
Ironically, on Monday, in an update on the July attack, Columbus officials claimed that its IT teams were able to thwart the attackers, preventing them from encrypting the city’s network infrastructure.
“Fortunately, the city’s Department of Technology quickly identified the threat and took action to significantly limit potential exposure, which included severing internet connectivity,” city officials wrote.
However, it appears the cyber team was unable to prevent the ransomware gang from exfiltrating a self-proclaimed 6.5TB of sensitive information from Columbus’ government systems.
Coincidentally, the thought-to-be Russian-affiliated criminal group posted about the massive cache of stolen data on the Rhysida dark leak site, also on Monday.
Columbus is an American city – the state capital and largest city in Ohio. It is the 15th largest city in the United States, the gang 'copied and pasted' on its dark blog.
“Participating in the auction, you have the opportunity to buy more than 6.5TB of databases, internal logins and passwords of employees, a full dump of servers with emergency services applications of the city, access from city video cameras,” the post said.
The double-extortionists also offered to throw in “full instructions and support” and “certificates for databases” to whoever decides to purchase the cache for a price of 30 bitcoin (BTC) – the equivalent of exactly $1,925,121.16 as of Thursday.
Originally giving the city a seven day deadline to pay up, according to the blog, the Rhysida countdown clock will run out next Monday August 5th.
The gang also posted a swathe of samples with its post as proof of the claim.
Cybernews was able to examine the sample files noting the group had accessed dozens of program files, including access to databases, passwords, cloud data management files, system backup files, employees data, personal messages, payroll information, and even the city’s traffic cameras.
For now, Columbus Mayor Andrew J. Ginther said the main focus is to restore city services and that the incident “remains an ongoing situation and the investigation is in its earliest stages.”
The city also said besides pulling in the FBI and Homeland Security to help in recovery, the city would be notifying any residents whose information was compromised in the attack.
The Mayor stressed that a thorough investigation will “help to educate other cities on how they can avoid falling victim to similar attacks.”
Rhysida's strikes again
The Rhysida ransomware group has only been in operation for just over a year, coming onto the scene in May 2023, according to a US government profile on the group published last August.
The profile labeled the group's namesake ransomware as "unsophisticated" and typically launched through phishing attacks or seeking vulnerabilities using Cobalt Strike pen-testing tools.
Rhysida is known for going after “targets of opportunity,” including the education, healthcare, manufacturing, information technology, and government sectors, and is thought to have ties to the Vice Society ransom gang.
Other victims this year include the Anne & Robert H. Lurie Children’s Hospital in Chicago in which the group – in a move criticized as ‘lower than low’ by security researchers – sold all the stolen data online after failing to secure a $4 million ransom demand (60 BTC).
Known to operate as a ransomware-as-a-service (RaaS) group selling its hacking tools to other groups for a cut of the profits, the criminal outfit often practices double extortion. Even after a victim has paid for a decryption key, the gang threatens to leak the stolen data unless it receives a second payout.
In February, a research team from the Korea Internet & Security Agency (KISA) was able to crack the gang’s encryption code and shared a free Rhysida Decryption Tool and manual on its website.
In 2024, Rhysida was behind the British Library hack, an attack on luxury yacht dealer Marine Max, the Prince George’s Country school system attack in Maryland, and auctioned stolen data from the Spider-Man video game maker Insomniac Games.
Last summer, the group also claimed responsibility for a debilitating attack on the California-based healthcare conglomerate Prospect Medical Holdings (PMH), knocking out services for dozens of hospitals and healthcare facilities across several states, as well as another video game maker, the Munich-based Travian Games in December.
Your email address will not be published. Required fields are markedmarked