City of Columbus Ohio Ransomware Attack – a Postmortem Through the Prism of External Data Privacy
In 2023 according to Statista data, the manufacturing sector was the industry most targeted by ransomware attacks. Companies in the manufacturing fields saw 638 discrete ransomware attacks in the course of this one year alone. Just in time manufacturing, a delicate choreography of supply chains bringing thousands of components from as many suppliers into a manufacturing facility where thousands of workers stand ready to assemble products makes a compelling target because they cannot afford to let production lines stand idle for any significant period of time.
Industry sectors worldwide frequently affected by industrial ransomware incidents in 2023, by number of attacks
But today’s postmortem is about another “M-word” which has become the focus of cyber-attacks and, in particular, ransomware attacks. – Municipalities. The above Statista data shows Government sectors to be the “least of the most frequently affected”. However, it is still among the most affected sectors and the frequency of attacks – especially on local and state municipal governments – is dramatically on the rise.
A 2023 study by cyber security firm Sophos reveals the drastic rise in rates of attack upon state and local governments. The State of Ransomware in State and Local Government 2023 study revealed that the rate of ransomware attacks in state and local government has increased from 58% to 69% year over year.
This paper will examine the dynamics of one recent ransomware attack upon the City of Columbus, Ohio and expound upon how and why municipal governments are being targeted by ransomware attacks. It will also illustrate how these governmental organizations are vulnerable and what can be done to strengthen their defenses against threat actors seeking to extort money from them.
THE VICTIM ORGANIZATION
The municipality of Columbus, Ohio is the capital and most populous city in the state. The 2020 census reports the population to be 905,748 citizens making Columbus, Ohio the 14th most populous city in the United States and the second-most populous midwestern city behind Chicago. Columbus is the core city of the Columbus metropolitan area encompassing ten central-Ohio countries and home to 2.14 million Americans (as of 2020).
Columbus has a generally strong and diverse economy based on education, insurance, banking, fashion, defense, aviation, food, logistics, steel, energy, medical research, health care, hospitality, retail and technology – all industries frequently targeted by threat actors and vulnerable to cyber attacks.
KNOWN FACTS OF THE ATTACKS
A group of threat actors, the hacking collective known as Rhysida has claimed responsibility for seizing 6.5 terabytes of sensitive data they exfiltrated from servers owned by the City of Columbus. Cybersecurity experts at watchdog organizations Dark Web Intelligence and Ransom Look both confirmed the breach.
On July 18, 2024, Columbus mayor, Andrew Ginther reported that multiple online city services had been interrupted due to the ransomware attack. Rhysida hackers held the 6.5 TB hostage and although Columbus reports they’ve been able to secure their information systems, the hackers are still moving ahead with an auction for the massive trove of data they were able to exfiltrate while they had unauthorized access to Columbus city servers.
The auction is set to take place on the dark web where such illicit transactions are commonly performed. Access to the auction – and to most of the dark web – requires Tor, a specialized browser used to access this vast and unseen section of the internet. As detailed in a recent Privacy Bee White Paper, Privacy Bee as a Superior Post-Breach Remedy, “Experts estimate there are more than 10,000 dark web marketplaces. Dark web marketplaces cannot be found using common search engines. Nor can they be accessed using regular web browsers. These hidden markets are routinely used – due to their masked accessibility – to broker transactions involving stolen data as well as illegal drugs, weapons, counterfeit currency and other forms of contraband.”
A screenshot of the items up for auction was posted Wednesday by Dark Web Intelligence and several other sources. The image revealed Rhysida was hosting an auction for the data and catalogued what they claimed the auction’s winner would receive including:
- Internal logins and passwords for city employees
- City databases
- A full dump of servers with emergency services applications for the city
- Access to city video cameras
- Full instructions and support, as well as certificates for the databases
“We sell only to one hand, no reselling,” Rhysida reportedly wrote on the listing. “You will be the only owner!”
The reserve price Rhysida set for this trove of Columbus Municipal data was set at 30 bitcoin (equivalent to $1.9 million dollars at the time of this paper’s writing).
INITIAL CONSEQUENCES OF THE ATTACK
As soon as the breach was discovered, the City of Columbus completely cut off governmental systems from the internet. This quick response succeeded in interrupting the threat actors’ motion to encrypt the data. Typically, in ransomware attacks, threat actors seize and encrypt the data within systems they’ve breached and then hold it for ransom. Locking authorized users out of their own systems until a payment is extracted at which point, the data and systems held for ransom are returned to the victim organization.
Because the City of Columbus was able to expel Rhysida before the hackers could encrypt the data, the city was able to avoid having to pay ransom for the release of their data. The Mayor of Columbus sought to promote this as a small win for the city and its IT team. However, terabytes of data had still been downloaded and, instead of holding it for ransom in exchange for decryption, the threat actors simply offered the data for auction on the dark web which is, in many ways, a worse outcome.
The initial interruption was very damaging to city services and the citizens who rely upon them. More than a week after the breach was discovered and announced, city employees were still unable to send or receive external emails. City of Columbus officials were able to restore 911, 311 and city employee payroll functions to normal operations. Yet, myriad essential services including those dedicated to public safety, public health and public utilities were kept offline even after the encryption efforts had been thwarted.
Columbus Mayor Ginther said, “The issue is we can’t restore things until we know they are safe and secure, and so our focus is going to be on public safety, public health, and public utility.” Ginther suggested anything beyond essential basic services would remain offline until investigations are able to unfold and threat levels are determined to be within tolerances.
In an especially embarrassing and troubling turn of events, a dozen Columbus police officers reported their personal accounts – including bank accounts – had been hacked using the personally identifiable data stolen in the breach. Some officers even reported the opening of fraudulent lines of credit, while others said funds had been fraudulently journaled out of their bank accounts. President of the local Fraternal Order of Police Brian Steel suggested these consequences might have been from Columbus city data compromised in an earlier incident, but the investigation is still currently under way to determine the truth.
ATTACK VECTORS AND EDPM
According to the NBC television affiliate in Indiana, “The mayor’s office revealed that the FBI and U.S. Department of Homeland Security both stepped in at the city’s request after initially being compromised by ransomware. [Mayor] Ginther shared hackers accessed the city’s internal network through “an internet website download,” of a .zip file, rather than an infected email. He didn’t specify whether a city employee initiated the download and subsequent breach, or which department it originated in.”
It seems rather unlikely that a city employee did not initiate the download of the .zip file that contained the malicious code leading to the breach. The delivery of social engineering messages that contain messages designed to be relevant to their carefully selected recipients is a common means for hackers seeking to bypass password protected areas, encryption, firewalls and other elements of traditional information security programs.
Developing highly contextual messages that succeed in deceiving their recipients into clicking infected links is frequently accomplished by threat actors who do research on an organization to identify the personnel with likely access to critical systems. Then they leverage unsecured external data – personally identifiable information and other data points – available about their chosen target from Data Brokers, People Search Sites, public records, social media profiles and other sources.
Columbus Mayor Ginther, in assuring constituents that the city had been investing in technology in a significant way, touched on the prime vulnerability facing municipalities when it comes to cyber threats. Unlike larger state and federal agencies or corporations, municipalities operate within far less robust budgetary frameworks. This makes city governments soft targets in the eyes of threat actors. Cities generally cannot afford large IT departments or dedicated personnel addressing information security and cyber security as their sole responsibility.
As the Sophos News report in the introduction suggests, the flood of attacks against local governments continues unabated.
Some Recent Examples
June 13, 2024 – Traverse City, Michigan and Newburgh, NY both announced cyber attacks preventing citizens from attaining building permits, paying property taxes and turning on water services among others.
June 30, 2024 – Monroe County, Indiana experienced a breach which froze county financial accounts and interrupted payments to vendors providing critical services to county residents.
July 9, 2024, Clay County, Indiana suffered an attack that shut down the corrections agencies and court systems in that county.
Cleveland Ohio, Witchita Kansas, Pensacola Florida, were all hit by ransomware attacks in a single week (Week of June, 10, 2024) bringing their governmental activities to a standstill according to The Recorded Future news.
LONGER TERM CONSEQUENCES OF THE ATTACK
This paper, written only weeks after the initial breach and malware attack on Columbus, Ohio, cannot characterize longer term consequences in any concrete way, as simply not enough time has transpired. However, there are many eventualities that are predictive in nature as this type of risk and criminal action has occurred thousands of times before.
For example, the fate of the stolen data and how it may be purchased and used by other criminal elements is something worth considering. By August 8, 2024, Rhysida ransomware group had yet to find a buyer for the stolen data they vowed to auction on the dark web.
NBC News reports that the $1.7billion starting bid was not met and so, the Rhysida hackers began uploading a public leak of the 6.5 TB of stolen data to the dark web. Yet, the FBI and other experts watching this unfold in real time suggested that the download link had been deactivated and that the hackers had decided to attempt a second auction of the full file set.
If the stolen data cache isn’t purchased by a single buyer at the illicit auction, then it will likely endure the same fate as so many other stolen data sets. That is, it is likely to be sold piecemeal to any number of buyers who have use for this information. This can include fully criminal elements like other hackers and threat actors with specific malicious objectives. It can also include nominally more legitimate operators such as Data Brokers and People Search Sites whose stock in trade is personally identifiable information (PII) which is used by marketers, political campaigns, and other groups as part of their promotions and outreach activities. Of course, it is not legal for these supposedly legitimate businesses to repackage stolen data and sell it as legitimately sourced product. However, there is very little regulation and even less enforcement of the Data Broker industry.
So, as is invariably the case, the stolen data becomes part of the circular continuum of unsecured external data that fuels phishing, spear phishing and other social engineering attacks. All of which leads to the inevitable question, what can be done – both preventative and remedially – to protect municipal and county governments from being repeatedly targeted by threat actors?
EXTERNAL DATA PRIVACY MANAGEMENT
External data privacy risk is something that can be effectively mitigated by organizations without deep pockets and extravagant budgets to apply to cyber and information security. It is also something that is accomplished without the need for dedicated IT resources to configure, deploy and manage over time.
Many data breaches today – afflicting the largest and the smallest of organizations alike – are driven by social engineering strategies. These strategies rely heavily on selecting the best targets within any organization to scam into revealing their passwords or credentials. Or to simply fool into clicking a link containing malicious code which then propagates itself through protected systems. Just like the Columbus city employee who clicked what they thought was an innocuous .zip file enabling the breach and ransomware attack.
By focusing on reducing the volume and availability of unsecured external data associated with the workforce of a municipality, the overall threat of it being attained and used by threat actors drops dramatically.
Most organizations including cities and counties already employ strategies for protecting cyber security in the cloud and online. Common cyber security best practices include hardening endpoint security, data encryption, password protocols, vendor risk management (VRM), identity access management (IAM) firewalls, spam filters, antivirus scans and employee cyber security trainings. Adding steps to secure external data of the government workforce adds an additional layer of security to all these existing activities – each of which is equally vulnerable to being short circuited by a well-crafted phishing or other social engineering scheme.
Interrupt the Exploitation of External Data
The Privacy Bee Business Platform is designed to cast a protective shield over an entire organization. This includes all employees, their families, contractors, freelancers and even employees of vendors with whom your systems may integrate.
Containment
With a burgeoning database of 600+ data brokers, People Search Sites and other data aggregation sources. Privacy Bee Business service works to scrub employee data from all major data brokerages, People Search Sites, etc. and then takes the additional step of cleaning up any previously exposed information from major search engines.
Employee Risk Management dashboards allow an organization to set minimum thresholds for exposure – the Employee Risk Score – and then provide visualizers to monitor each employee’s risk profile. Keeping the entire staff within acceptable tolerances helps safeguard your city or county government against targeted attacks.
External Data Privacy Audit discovers and analyzes data exposures for your employees and also for vendors serving the city or county. Another centralized dashboard helps keep close tabs on external data exposure and the impacts this has on productivity. The application performs financial risk assessments to deliver estimated costs of external exposures. The dashboard provides metrics such as “Company Risk Scores”, “At-Risk Vendors”, “At Risk Employees”, “Top Exposure Sources” and others. These External Data Privacy metrics support active, quantifiable governance over risk tolerances and deliver a concrete method for measuring progress as you reduce the organization’s external data risk.
Vendor Risk Management delivers control over vendor access to external company data and allows an organization to enforce its information security policies by extending them over the vendor organization as well. Dashboards for Vendor Risk Management display Vendor Risk Scoring, and allow you to set a minimum vendor score. If any vendor cannot meet the minimum security threshold, they can be removed or suspended until they mitigate the identified risk to attain compliance with your policy.
Privacy Bee Business sets up 24/7/365 privacy monitoring and delivers a configurable interface for organizations to make and enforce compliance with privacy choices.
For Those Municipalities or Counties Already Breached
Like their private sector counterparts, governmental agencies victimized by data breaches are always quick to offer no-cost remedial solutions to their exposed customers and employees. The City of Columbus predictably offers identity monitoring services to the police officers and other employees whose data was stolen by Rhysida in this breach.
Other county governments proudly state that they carry cyber insurance policies to make whole any losses that may be incurred by a breach of their systems.
Both these remedies are toothless and do nothing to prevent breaches in the first place. Nor do they do anything to lower the probability of the stolen data being used to perpetrate the next breach as it is sold and used by other threat actors. Privacy Bee for Business solutions is proven to interrupt the journey of stolen PII through illegitimate channels to legal channels.
Read more about the comforting fiction of identity monitoring remedies and how Privacy Bee for Business is a great post-breach remedy in the white paper titled, “Privacy Bee as a Superior Post Breach Remedy”.
Ultimately, lowering the profile of any organization in the eyes of threat actors requires a concerted and ongoing campaign aimed at reducing the un-managed exposures of the organizations’ workforce everywhere on the internet. Privacy Bee for Business offers the only completely comprehensive solution platform to identify, eliminate and maintain acceptable external data privacy risks on an ongoing basis. What follows are the first or primary steps in the overall process. New customers of Privacy Bee for Business undergo the following steps which are applied to all employees with any information systems access in any quarter of the enterprise. The same processes are equally deployed for all employees of third-party vendors or contractors with any systems access or integrations.
