The City of Columbus might be in for a long, expensive recovery from a recent ransomware attack , according to a cybersecurity expert.
While Mayor Andrew J. Ginther's administration has been under a near news blackout concerning the attack, the expert says what has been revealed suggests a recovery period measured in months and in which paying any demanded ransom might be the least of the city's expenses.
"Unfortunately, once the attack has taken place, once the ransomware has been installed, there's really nothing you can do," said Tom Holt, a professor in school of criminal justice at Michigan State University specializing in cybercrime and cybersecurity. "You're left to negotiate with the group itself. Or you can try to go to backup, but if you're talking a city the size of Columbus, it's hard to know when every system was last backed up, how much data could be lost, things like that."
The fact that the city has notified the public that electronic payment systems such as those for getting cars out of impound or paying traffic tickets are compromised suggests the attack was pervasive, and "sounds pretty severe."
"So yeah, I would guess that's there's going to be a complete overhaul" of computer systems, which can cost millions of dollars, based on previous attacks that have hit other organizations, Holt said, probably a scenario measured in months, "if I had to guess."
Protect yourself: In wake of Columbus ransomware attack, cyber expert offers tips
Ginther declines interview, questions speculation
Ginther declined to be interviewed Friday for this story, but released a written statement trying to tamp down assessments and reports about the ransomware group Rhysida's demands being posted on the dark web, accessible only with special software making users anonymous and untraceable.
"With much respect, I share with you that speculation by individuals external to the investigation may not benefit the objective of educating the public on this incident," Ginther wrote. "Claims being made by sources external to the investigation about the actions of the threat actor do not match the assessments of cybersecurity experts and law enforcement actively working on the case.
"We appreciate your understanding that what we can say remains limited and this situation continues to evolve. Thank you for continuing to use your discretion at this time. As soon as the city is able to provide further information or interviews, we will."
The city also has not responded to a public records request by The Dispatch.
The Dispatch reported Thursday that personal data apparently stolen from city servers was made public on the dark web, after no ransom was paid, called a "double ransom" technique designed to put pressure on the city to pay.
"I can confirm that some of it has" been made public, said Daniel Maldet, with the Columbus office of CMIT Solutions, an IT consultant not directly working on the case. "They are showing that 3.1 TB (terabytes) of data is released – 258,270 files which is 45% of the stolen data. They show, 'not sold data was uploaded, data hunter, enjoy'. This might suggest that 55% of the data was sold — that’s just a guess."
City could be negotiating
The fact that some data was not made public suggests that "perhaps they're still negotiating," Holt said. "...The fact that they didn't release all the data tell us that they're not releasing everything yet, so I wouldn't say it's over. It may be reaching an end game."
He said there is likely a negotiation going on behind the scenes that includes the city asking to ensure that if it does pay a ransom, that it will receive its data back in working order.
"In other words, how do we know that if we pay you our files will be decrypted and the data that you have will not be posted?" he said.
Rather than pay to unlock systems, many organizations purchase brand-new systems in an expensive process of starting over, Holt said. And they attempt to reimburse themselves by filing a claim against their cyberattack insurance policy - if the city has one, which no one has yet said.
It's "a huge cost to repair the systems," Holt said. "...It's a very messy space, because there's a lot of potential points of problem."
In January 2023, the Columbus City Council approved a $2.5 million contract for "Cybersecurity Products and Services" with RSM, after five firms responded to requests for proposals.
RSM was to provide "cybersecurity capabilities necessary to identify, prioritize and mitigate a wide range of risks related to the city’s use of IT. The contract will be used to assess current practices against best practice, to identify and prioritize gaps that introduce cyber-risks, and to develop and execute strategies, road maps and corrective action plans for managing risks," as well as capture project data and manage on-going activities necessary to reduce risk and comply with current mandates, including those from the IRS.
City Auditor Megan Kilgore did not answer questions Friday concerning whether any city income taxpayer data was compromised, instead directing all questions to Ginther despite Kilgore being a separately elected official. Other city officials also did not respond to requests about how the hack was affecting operations weeks after it was revealed.
Last November, the U.S. Cybersecurity and Infrastructure Security Agency, the nation's coordinator for critical infrastructure defense, issued a cybersecurity advisory warning about the emerging threat from Rhysida, and giving "actions to take today" to mitigate the risk.
What is Rhysida?
"Rhysida — an emerging ransomware variant—has predominately been deployed against the education, healthcare, manufacturing, information technology, and government sectors since May 2023," the advisory said. "...Open source reporting has confirmed observed instances of Rhysida actors operating in a ransomware-as-a-service (RaaS) capacity, where ransomware tools and infrastructure are leased out in a profit-sharing model. Any ransoms paid are then split between the group and the affiliates."
In other words, Rhysida acts like any other computer software firm, marketing its products to global criminal enterprises, and offering patches to get around IT defenses. Then, after an attack, they reach out to help you recover your systems and data - for a fee.
"They bill themselves as being a service provider, when in reality all they've done is attack you and now they want money," Holt said. "It's a very common thing. We've seen it in the past."
Ginther said previously that the "incident" occurred on July 18, but didn't clarify if that's when the attack took place, or if that's when city IT officials first noticed it.
Under Ohio law , members of the public must be notified of any security breach to stored personal information that may reasonably cause a material risk of identity theft or other fraud. That information is defined as an individual’s name connected a Social Security number, driver’s license number or state identification card number, or account number, credit, or debit card number linked to a security code or password.
"Consumers must be notified in the quickest way possible, but not later than 45 days after the breach is discovered," Ohio Secretary of State Dave Yost said on his website.
That deadline, if applicable, appears to be no later than Sept. 1.
wbush@gannett.com
@ReporterBush
This article originally appeared on The Columbus Dispatch: Columbus likely in for a long, hard, expensive road in recovering from ransomware attack
Most Popular
Comments / 0