🎙️ Voice is AI-generated. Inconsistencies may occur.
The personal data of approximately 500,000 residents of Columbus, Ohio, was exposed following a ransomware attack on the city's network systems by Rhysida, a relatively new but increasingly notorious cybercriminal organization.
Personal information including bank account details and Social Security numbers were taken by the cybercriminal group, who have previously targeted the Department of Health and the Chilean Army.
The full extent of the incident was revealed when a data breach notification was filed by the City on October 7 with the Office of the Attorney General for the state of Maine, indicating it had affected 500,000 individuals, including 24 Maine residents.
A letter, sent to half a million affected individuals, stated that "the information involved in the Incident may have included your personal information, such as your first and last name, date of birth, address, bank account information, driver's license(s), Social Security number, and other identifying information concerning you and/or your interactions with the City."
Columbus Mayor Andrew Ginther confirmed the data breach in August but stated that most of the data was corrupted or encrypted, according to the Associated Press.
Previously, security researcher David Leroy Ross, also known as Connor Goodwolf, disputed Ginther's claims that the data was corrupted or encrypted.
Ross said he accessed the data leaked by Rhysida on the dark web and shared samples with media outlets, alleging that the stolen information was unencrypted and included personal details of city employees, residents, and even vulnerable individuals like domestic violence victims.
The City of Columbus, in turn, filed a lawsuit against Ross, alleging that he threatened to share the city's stolen data with unauthorized third parties. Newsweek reached out to Mayor Andrew Ginther via email for comment.
Based on the claim that downloading this information from the dark web constituted interfering with an ongoing investigation, a Franklin County judge issued a temporary restraining order preventing Ross from disseminating the information.
This filing, however, revealed that among the potential information posted to the dark web by Rhysida were "backup prosecutor and crime databases" including information on misdemeanor crimes, crime victims of all ages, including minors, dating back to at least 2015 as well as information on victims of domestic violence.
How the Cyber Attack Was Discovered
On July 18, 2024, the City of Columbus discovered a cybersecurity incident involving a foreign threat actor attempting to disrupt its IT infrastructure, possibly to deploy ransomware and solicit a ransom payment.
"Once the threat actor activity was identified, the city immediately engaged the FBI and Homeland Security to further protect its systems and data," the City of Columbus said in a statement on July 29.
The city administration said it was in the process of identifying individuals whose personal information was potentially exposed and would "provide notice and additional guidance to all who are impacted in the coming weeks."
Clients of the City of Columbus received a letter on September 12 telling them that the threat actor's activity was disrupted but that "the incident allowed the threat actor to view and access certain sensitive personal information" including City employee account number and position, City employment and payroll records, and social security numbers.
What Is Rhysida?
The Rhysida ransomware group, responsible for the Columbus attack, is a relatively new player in the cybercriminal landscape but has rapidly gained notoriety for its aggressive tactics and high-profile targets.
First observed in May 2023, Rhysida operates as a ransomware-as-a-service (RaaS), employing double extortion techniques to pressure victims into paying ransoms, typically demanded in bitcoin. The group not only encrypts victims' data but also threatens to publish it on the dark web if their demands are not met.
Rhysida is known to use various methods to infiltrate systems, including spear-phishing emails with malicious attachments, exploiting unpatched vulnerabilities, and attacking remote desktop protocols (RDP) and virtual private networks (VPNs).
Beyond the City of Columbus, Rhysida has targeted multiple sectors, including healthcare, education, and government agencies. In May 2024, they breached the Chilean Army's systems, leaking sensitive military documents. In August 2023, the Department of Health and Human Services issued an alert after Rhysida attacked several healthcare providers and hospitals.
The group's activities have drawn comparisons to the Vice Society ransomware group, with some security experts suggesting that Rhysida may be a rebrand or offshoot. Both groups share similar tactics and have been known to target educational and healthcare institutions.
"The timelines of Vice Society and Rhysida overlap, just like their tactics. There hasn't been much news about Vice Society since August 2023, when researchers realized the connection between the groups," said cybersecurity firm Barracuda in a blog post on the ransomware group.
"The problem with names like Vice Society and Rhysida is that they're just temporary brands for clusters of individual threat actors who can easily move from one to another. The threat clusters behind the brands are always active, even when the brand shuts down or simply fades out," it added.
About the writer
Marie Boran is a Newsweek reporter based in Carlow, Ireland. Her focus is reporting on technology. She has covered the ... Read more