Rhysida Threat Group Auctions Data Stolen in City of Columbus Ransomware Attack
The City of Columbus in Franklin County, Ohio, recently fell victim to a ransomware attack that involved the theft of information stored on its network. The attack was detected on July 18, 2024, and the foreign threat actor attempted to deploy ransomware to encrypt files and solicit a ransom payment. The fast action of the Department of Technology limited exposure, which included severing the internet connection to prevent further unauthorized access, and the actions of the Department of Technology were successful in disrupting the threat actor’s activity.
The threat actor was identified and information about the attack was shared with the Federal Bureau of Investigation (FBI) and the Department of Homeland Security. The city is working with those agencies and cybersecurity experts and is implementing additional safeguards to harden security to prevent similar attacks in the future. The investigation into the incident is ongoing, the city is in the process of issuing notifications to the affected individuals. Initially, it was thought that access was gained after an employee clicked a link in an email; however, it has now been confirmed that access was gained as a result of an internet website download.
“The City of Columbus was the victim of a crime committed by an established, sophisticated threat actor operating overseas. I’m grateful for the swift and bold action of our Department of Technology, the FBI and Homeland Security to protect our IT systems, our residents and our employees,” said Mayor Andrew J. Ginther. “We continue to focus on restoring city services. We appreciate the grace our residents have offered us and the dedication of our employees working to keep our city running. We will support a thorough investigation and help to educate other cities on how they can avoid falling victim to similar attacks.”
The Rhysida ransomware group claimed responsibility for the attack and claimed to have stolen 6.5 GB of data. While many ransomware groups leak stolen data on their data leak sites when ransoms are not paid, Rhysida is known to auction off the stolen data. Rhysida was behind the ransomware attack on Lurie Children’s Hospital in Chicago in January 2024 and claimed to have sold the stolen data for $3.4 million.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Rhysida added a listing to its data leak site stating that the stolen City of Columbus data includes databases, employees’ usernames and passwords, and data from all servers associated with emergency service applications. Rhysida said it is holding a 7-day auction and expects to sell the City of Columbus data for at least 30 Bitcoin ($1.9 million). However, when the group failed to sell the data, around 45% of the stolen data was added to its data leak site. Following on from that data leak, a cybersecurity researcher, David Leroy Ross (aka Connor Goodwolf), downloaded the data. The city has accused the researcher of disseminating the data and has asked for a temporary restraining order to prevent the researcher from sharing the data he downloaded.
Correction: This article mistakenly referenced a ransomware attack on Franklin County, Kansas. Franklin County in Kansas also suffered a recent ransomware attack, however, the two incidents are unrelated. Franklin County in Kansas is monitoring the dark web for data leaks and has not identified any public release of data stolen in its attack.
