Ransomware group claims Columbus attack, selling 6 terabytes of passwords and more

COLUMBUS, Ohio ( WCMH ) — As a dozen Columbus police officers said Thursday that their bank accounts were hacked, a group claiming responsibility for a city ransomware attack is holding an auction for a massive amount of data it reportedly stole.

The hacking gang known as Rhysida has advertised making off with 6.5 terabytes — or 6,500 gigabytes — worth of sensitive data from City of Columbus servers. Multiple cybersecurity watchdogs including Dark Web Intelligence and Ransom Look reported Rhysida’s offering on an onion site, commonly used on the dark web and only accessible with the specialized internet browser Tor.

Details on the treasure trove of compromised data come after Columbus Mayor Andrew Ginther confirmed the shutdown of multiple online city services was due to a July 18 ransomware attack. While he credited the city’s IT department with cutting off access before the hackers encrypted any of the city’s data, the mayor said they were investigating just how much of it was accessed. He did not name Rhysida or any suspected hacking group on Monday, but said the attack was from “an established and sophisticated threat actor operating overseas.”

“For non-IT people, folks at home, the best way to describe this would be robbers were in our house,” Ginther said. “They tried to lock us out from our own house, but we stopped them. They took some valuables, data, and we’re in the process of determining the extent, and their value, data, before we notify their owners.”

A screenshot of the onion site posted Wednesday by Dark Web Intelligence and multiple other sources showed Rhysida was holding an auction for the data, which would run for six more days. Rhysida claimed the buyer would get:

• Internal logins and passwords for city employees
• City databases
• A full dump of servers with emergency services applications for the city
• Access to city video cameras
• Full instructions and support, as well as certificates for the databases

“We sell only to one hand, no reselling,” Rhysida reportedly wrote on the listing. “You will be the only owner!”

Rhysida was seeking 30 bitcoin as the base price for Columbus’ data, which translated to $1.9 million as of Thursday. In past hacks when Rhysida did not receive a bidder, they instead released the data publicly. Polygon reported on a previous example in December, where the hackers leaked 1.67 terabytes of Insomniac Games’ employee and project data.

Even before the auction, some city employees were already falling victim to compromised data. Brian Steel, president for the local branch of the Fraternal Order of Police, confirmed to NBC4 that at least 12 Columbus police officers had their bank accounts hacked. However, there’s no evidence to connect this as a direct symptom of Rhysida’s attack.

Still, officers have seen real damage, including someone opening lines of credit in their names or money being taken out of their accounts, according to Steel.

“The city set up a basically a hotline and email,” Steel said. “They’re asking us to tell our members to go ahead and email any of these issues to them.”

When asked about Rhysida’s involvement in the ransomware attack , the stolen 6.5 terabytes of data and the auction, Ginther’s spokeswoman said his office was “not at liberty to discuss the ongoing situation or investigation.” However, they went a step further Thursday evening by announcing that the city would provide Experian credit monitoring for all city, Franklin County Municipal Court clerk, and judge employees out of precaution. The mayor previously said it was clear the perpetrators wanted to make “as much money as possible,” and the city was hardening its cybersecurity to avoid falling victim to another attack.

Daniel Maldet, the owner of Northwest Columbus tech firm CMIT Solutions, told NBC4 that there could be some truth to Rhysida’s claim of hostage data even if the city stopped the attempted encryption. He said they were using a common tactic among ransomware groups called “double extortion.”

“They would have exfiltrated sensitive data before initiating the encryption process,” Maldet said. “Although Mayor Ginther has stated that they were able to halt the encryption, Rhysida may have already exfiltrated a significant amount of data by that time … Rhysida is known to exaggerate the volume of data they claim to have stolen, so their claim of 6.5 terabytes might be inflated or include data from other sources or systems.”

Another cybersecurity expert, Denise Bergstrom, told NBC4 that Columbus should have intrusion detection software that would keep a log of data that moved. But going through all of that would still be a “laborious process.”

A ransomware attack typically encrypts a computer’s hard drive, or vital servers in a business environment, and the infection can spread to other computers from the original host. The data on the infected drives becomes locked and inaccessible to the user. Unless they pay a ransom to the hacker, they can either lose their data permanently, or have it leaked publicly. In a successful attack, hackers restore a victim’s data in exchange for large payments in cryptocurrencies like Bitcoin. Ransomware has made for a profitable business venture for hackers, sometimes even earning the sponsorship of governments like North Korea .

Rhysida first emerged in May 2023, according to cybersecurity company SentinelOne. On its onion site, the group created a victim support chat portal where it negotiates with victims trying to retrieve encrypted data. SentinelOne noted the hackers typically deploy their ransomware through phishing campaigns, which is consistent with the “internet website download” of a .zip file that Ginther described as how the city initially fell victim. He didn’t specify whether a city employee initiated the download and subsequent breach, or which department it originated in.

In its statement on Thursday, the city said the incident is being investigated by cybersecurity experts, the FBI, and Homeland Security, and the investigation is still in the early stages.

For the latest news, weather, sports, and streaming video, head to NBC4 WCMH-TV.