‘Robbers were in our house’: Columbus ransomware attack may have exposed personal data

COLUMBUS, Ohio ( WCMH ) — Foreign hackers tried to lock part of the City of Columbus’s tech infrastructure with ransomware, Mayor Andrew Ginther confirmed nearly two weeks after the cyberattack first came to light.

The mayor’s office revealed Monday that the FBI and U.S. Department of Homeland Security both stepped in at the city’s request after initially being compromised by ransomware. Ginther shared that hackers accessed the city’s internal network through “an internet website download,” of a .zip file, rather than an infected email . He didn’t specify whether a city employee initiated the download and subsequent breach, or which department it originated in.

“The City of Columbus was the victim of a crime committed by an established, sophisticated threat actor operating overseas,” Ginther said. “We continue to focus on restoring city services … We will support a thorough investigation and help to educate other cities on how they can avoid falling victim to similar attacks.”

The Columbus Department of Technology completely cut off government systems from the internet after they detected the ransomware attack on July 18. While Ginther told NBC4 the city’s IT staff cut off the ransomware’s access before it encrypted anything, they are still investigating just how much of the city’s data was accessed by hackers. Some individuals’ personal data may have been exposed in the attack, but the mayor did not specify whose. He noted the city would provide guidance to anyone affected in the coming weeks.

“Even though the encryption attempt was prevented, it’s possible that city data was accessed by the threat actor,” Ginther said. “For non-IT people, folks at home, the best way to describe this would be robbers were in our house. They tried to lock us out from our own house, but we stopped them. They took some valuables, data, and we’re in the process of determining the extent, and their value, data, before we notify their owners.”

In the days after the ransomware first struck, city employees also lost the ability to send and receive emails to anyone outside their internal network. The city also initially confirmed that some resident-facing websites and services were knocked offline, but didn’t specify which ones. Ginther did add that Columbus’ computer police dispatch system was only partially online as of Monday, but public safety systems were the top priority for IT staff to bring back online.

A ransomware attack typically encrypts a computer’s hard drive, or vital servers in a business environment, and the infection can spread to other computers from the original host. The data on the infected drives becomes locked and inaccessible to the user. Unless they pay a ransom to the hacker, they can either lose their data permanently, or have it leaked publicly. In a successful attack, hackers restore a victim’s data in exchange for large payments in cryptocurrencies like Bitcoin. Ransomware has made for a profitable business venture for hackers, sometimes even earning the sponsorship of governments like North Korea .

But in his interview with NBC4, Ginther said investigators only knew so much about the suspects that were involved.

“This is an established and sophisticated threat actor operating overseas,” Ginther said. “We don’t know precisely where they’re from, but we have every reason to believe based on our engagement thus far with the FBI and Homeland Security that we are not their first victim … Their goal is to make money, and as much money as possible, by committing these crimes.”

Because many of these hackers are attacking from overseas with their country’s endorsement, an arrest or prosecution is unlikely. But federal agencies sometimes seize the ransoms on their way back to the perpetrator. In 2022, the FBI intercepted payments to the tune of $500,000 from a slew of attacks by one group of North Korean operatives.

Separate, unrelated ransomware on July 22 shut down the computer system of the Superior Court of Los Angeles County, the largest trial court in the country. And Columbus wasn’t the only high-profile victim from Ohio in 2024, as a similar attack in March shut down insurance claims processing for pharmacies, nursing homes and hospitals affiliated with Change Healthcare.

For the latest news, weather, sports, and streaming video, head to NBC4 WCMH-TV.