Ransomware attacks have long been a scourge for American municipalities. This appears to be a resurgence of the ransomware attacks that hit Columbus, Ohio, in July. But the city’s response to the attacks was anything but, leading cybersecurity and law enforcement experts across the country to question the motives behind the attacks.
Connor Goodwolf (legal name David Leroy Ross) is an IT consultant who explores the dark web as part of his job. “I track dark web-type crimes and criminal organizations and things like what the CEO of Telegram got arrested for,” Goodwolf said.
When news broke that his hometown of Columbus had been hacked, Jude Wolf did what he always does: He searched the Internet. It didn’t take long for him to discover what the hackers had.
“This wasn’t the biggest hack, but it was one of the most impactful I’ve seen,” Jude Wolf said.
In some ways, he described it as a routine breach, with potentially identifiable personal information, protected health information, Social Security numbers and driver’s license photos exposed. However, because multiple databases were compromised, it was more extensive than other attacks. According to Godolph, the hackers breached multiple databases from the city, police and district attorney’s office. There were arrest records and sensitive information about minors and domestic violence victims. He says some of the compromised databases date back to 1999.
Goodwolf found over three terabytes of data that took over 8 hours to download.
“The first thing I see is the prosecutor’s database, and I’m amazed, these are victims of domestic violence. When it comes to victims of domestic violence, we need to protect them more than anything else because they’ve already been abused once, and now they’ve been abused again by having their information exposed,” he said.
Godolph’s first action was to contact the city to report the seriousness of the breach, since what he saw contradicted official statements. “The personal data that the threat actor posted on the dark web is either encrypted or corrupted, so the majority of the data that the threat actor obtained is unusable,” Columbus Mayor Andrew Ginther said at a press conference on August 13.
But what Godolph found did not support that view. “I tried to reach out to the city several times with multiple departments, but my attempts were rebuffed,” he said.
Google-owned Mandiant, along with several other cybersecurity firms, has been tracking the continued rise in ransomware attacks, both in prevalence and severity, and the rise of the Rhysida group behind the Columbus hack, which came to prominence over the past year.
The Rhysida group has claimed responsibility for the hack. While little is known about the cyber gang, Goodwolf and other security experts say they appear to be state-sponsored, based in Eastern Europe, and possibly linked to Russia. These ransomware gangs are “professional operations,” with employees, paid vacations, and public relations staff, Goodwolf says.
“They have intensified their attacks and targets since last fall,” he said.
The US government's Cybersecurity and Infrastructure Security Agency issued a bulletin about Rhysida last November.
Judd Wolf said that since no one from the city responded to him, he went to local media and shared the data with reporters to spread the word about the seriousness of the breach. At that point, he heard from the city of Columbus, in the form of a lawsuit and a temporary restraining order preventing him from releasing additional information.
The city defended its response in a statement to CNBC:
“The city initially moved for this order, which the court granted, to prevent the release of sensitive and confidential information, including the identities of undercover police officers, which would threaten public safety and criminal investigations.”
The city's 14-day temporary restraining order against Goodwolf has expired, and now it has a preliminary injunction and an agreement with Goodwolf not to release any more data.
“It should be noted that the court order does not prohibit the defendant from discussing the data breach or even describing what type of data was exposed. It simply prohibits the individual from posting stolen data posted on the dark web. The city remains engaged with federal authorities and cybersecurity experts to respond to this cyber breach,” the city statement added.
Meanwhile, the mayor was forced to admit the error at a later press conference, saying his initial statements were based on the information he had at the time. “That was the best information we had at the time,” he said. “Obviously, we found that information to be inaccurate, and I have to take responsibility for that.”
After realizing that the exposure to residents was greater than initially anticipated, the city offered the city two years of free credit monitoring from Experian. This includes anyone who had contact with the city of Columbus through arrest or other employment. Columbus is also working with Legal Aid to see what additional protections are needed for domestic violence victims who may have been at risk or need assistance with civil protection orders.
The city has yet to pay the hackers, who were demanding a $2 million ransom.
“It's not Edward Snowden.”
Those who study and work in cybersecurity law expressed surprise that Columbus would file a civil lawsuit against the researcher.
“Lawsuits against data security researchers are rare,” said Raymond Kuo, a law professor at Case Western Reserve University. On the rare occasions when such lawsuits do occur, he said, it’s usually when the researcher allegedly disclosed how to exploit a bug or the possibility of exploiting it, allowing others to exploit the bug as well.
“It wasn’t Edward Snowden,” said Kyle Hanslovan, CEO of cybersecurity firm Huntress, who described himself as disturbed by the city of Columbus’s response and what it could mean for future breaches. Snowden was a government contractor who leaked classified information and faced criminal charges, but considered himself a whistleblower. Hanslovan says Jude Wolf is a good Samaritan who independently found the breached data.
“In this case, we appear to have silenced someone who, as far as I know, appears to be a security researcher who did the bare minimum of work and confirmed that the official statements he made were incorrect. This cannot be an appropriate use of the courts,” Hanslovan said, predicting the case will be quickly dismissed.
“This is not about free speech or whistleblowing,” Columbus City Attorney Zach Klein said at a September news conference. “This is about downloading and disclosing stolen criminal investigative records.”
Hanslovan worries about the impact of cybersecurity consultants and researchers being afraid to do their jobs for fear of being sued. “The bigger story here is that we’re seeing a new playbook emerge” for responding to hacking that silences people, and that shouldn’t be welcomed, he said. “Silencing any opinion, even for 14 days, can be enough to prevent something credible from coming out, and that terrifies me,” Hanslovan said. “That voice needs to be heard. As larger cybersecurity incidents come to light, I worry that people will be more interested in highlighting them.”
Scott Dylan, founder of NexaTech Ventures, a UK-based venture capital firm, believes Columbus' actions could have a chilling effect on cybersecurity.
“As the field of cyber law continues to mature, this issue will likely be referred to in future discussions about the role of researchers in the wake of data breaches,” Dylan said.
He says legal frameworks must evolve to keep pace with the complexity of cyberattacks and the ethical dilemmas they generate, and that the approach taken by Columbus is a mistake.
Meanwhile, the legal process for Godolph will continue. Although Columbus and Godolph reached an agreement last week to release the information, the city is still suing him for damages in a civil suit that could be worth $25,000 or more. Godolph is representing himself in his talks with the city, though he says he has an attorney on hand, if needed.
Some residents have filed a class-action lawsuit against the city. Judd Wolf says 55 percent of the information that was hacked has been sold on the dark web, while 45 percent is available to anyone with the skills to access it.
Dylan believes the city is taking a huge risk, even if its actions are legally justified, by creating the appearance of trying to silence dialogue rather than encourage transparency. “It’s a strategy that could backfire, both in terms of public trust and future litigation,” he said.
“I hope the city realizes the mistake of filing a civil lawsuit and the consequences that could have, not just on security,” Goodwolf said, noting that Intel is spending billions of dollars, largely backed by the federal government, to build chip manufacturing facilities in a Columbus suburb. In recent years, the city has positioned itself as a new tech hub in the “Silicon Heart” of the Midwest, and he said the attacks by white hats and cybersecurity researchers could prompt some in the tech sector to rethink the city as a location.