The Rhysida ransomware gang has claimed responsibility for an attack last month against the City of Columbus, Ohio, and is attempting to auction off 6.5 TB of data it says it stole from the city government.
Columbus authorities said the city’s data was rescued from encryption due to swift action by its Department of Technology, which quickly disconnected all systems upon discovering the attack on July 18.
“The City of Columbus was the victim of a crime committed by an established, sophisticated threat actor operating overseas. I’m grateful for the swift and bold action of our Department of Technology, the FBI and Homeland Security to protect our IT systems, our residents and employees,” Columbus Mayor Andrew J. Ginther said in a statement Monday.
The city has not named the threat actor responsible, but Rhysida updated its dark web site on Wednesday, attempting to auction off the 6.5 TB, which it said includes “databases, internal logins and passwords of employees, a full dump of servers with emergency services applications of the city” and “access from city video cameras,” according to The Columbus Dispatch.
The gang is asking for at least 30 Bitcoin (about $1.9 million) for the data and said the auction will run for seven days. Rhysida previously claimed to have sold the data of the Chicago-based Lurie Children’s Hospital for more than $3.4 million in March, after attempting to extort the hospital.
City of Columbus breached through website download, employees offered credit monitoring
Columbus authorities said in a statement Thursday that it is still working to identify all the individuals whose personal data may have been compromised in the cyberattack. However, it is already offering free credit monitoring services to all city of Columbus employees, Franklin County Municipal Court judges and Frankling County Municipal Court Clerk employees, through Experian.
The city said the ongoing forensic investigation revealed that a download from a website, not from an email, led to the breach. Authorities urged city employees to use different passwords for different accounts and report suspicious IT activity to [email protected].
“We continue to focus on restoring city services. We appreciate the grace our residents have offered us and the dedication of our employees working to keep our city running. We will support a thorough investigation and help to educate other cities on how they can avoid falling victim to similar attacks,” said Ginther.
City authorities also said the city Department of Technology was working with cybersecurity experts and federal authorities to methodically strengthen the city’s IT systems against future cyberattacks.
Are ransomware attacks against local governments increasing?
The attack on Columbus is the latest in a spate of ransomware attacks against state and local governments, including attacks on City of Forest Park in Georgia by the Monti ransomware group, the City of Newcastle in Washington by RansomHub and Los Angeles County by an attacker not yet publicly identified, which led to the closure of 36 local superior court offices.
A report from the Center for Internet Security published in January found that malware attacks on state and local governments in the United States increased 148% and ransomware attacks against governments rose 51% between 2022 and 2023.
However, it’s uncertain whether this trend will continue throughout 2024, as data reported by The Record shows a dip in ransomware attacks against state and local governments in January and April, although February and March had a higher number of attacks year-over-year.
Additionally, Sophos’ State of Ransomware 2024 report, based on a survey of 5,000 IT and cybersecurity leaders across 14 countries, saw a dramatic decrease in the proportion of local government leaders reporting a ransomware attack within the last year, from 69% surveyed in 2023 to just 34% surveyed in early 2024.
Local governments are seeing an increase in phishing attempts in 2024, as reported by Abnormal Security, which detected a 360% spike in attempts against government offices between May 2023 and 2024.
And even if ransomware attacks against local governments are becoming frequent, ransomware demands are growing higher, with the average demand for local governments being more than $4.6 million as of early 2024, according to Sophos. Local governments also faced the highest rate of data encryption compared with other industries, at 98%.