View a previous report in the video player above.
COLUMBUS, Ohio (WCMH) - Hackers announced Wednesday morning they would publicly leak over six terabytes of compromised Columbus data, claiming to have passwords and other private information from city servers. But hours later, they changed their mind with a new deadline.
Two cybersecurity experts -- Ohio State assistant professor Carter Yagemann and CMIT Solutions owner Daniel Maldet -- both accessed the Rhysida ransomware group's site on the dark web and independently confirmed to NBC4 that an auction of stolen City of Columbus data ended at 5:35 a.m. The two sources both said Rhysida did not have an apparent buyer, and a screenshot of the site indicated the group was going to publicly leak all 6.5 terabytes of data they had taken from the city.
On a phone call after the leak announcement, a spokesperson for Mayor Andrew Ginther's office said the city was trying to "wrap their arms around" the situation. Without confirming Rhysida's involvement in the hack, the city said it was aware a link was posted to download leaked data, but claimed the link was broken when accessed. The city has repeatedly told NBC4 it is limited on what it can share, citing an active investigation involving the FBI and the U.S. Department of Homeland Security.
Yagemann shared more details on the city's claim, confirming the download link was broken around 10:30 a.m. Checking Rhysida's website, Yagemann and Maldet said the hacking group had restarted their auction, setting it to end around 3:30 a.m. Thursday. For this second sell-off, Rhysida had an identical requested starting bid of 30 bitcoin, which translated to around $1.7 million as of Wednesday.
The change of course is abnormal for Rhysida, who has historically leaked data whenever they did not secure a bidder. Polygon reported on a previous example in December, where the hackers publicly dumped 1.67 terabytes of Insomniac Games’ employee's personal information and projects.
Even before the auction, some city employees were already falling victim to compromised data. Brian Steel, president for the local branch of the Fraternal Order of Police, confirmed to NBC4 that at least 12 Columbus police officers had their bank accounts hacked. While the city did not confirm these were a direct connection to Rhysida's attack, it announced Thursday it would provide free credit monitoring services to employees with the City of Columbus and Franklin County Municipal Court.
Ginther has never named Rhysida or any other hacking group as the suspect in the ransomware attack, referring to the perpetrator only as "an established and sophisticated threat actor operating overseas." The mayor previously told NBC4 that the city's IT staff first detected a hack on July 18, explaining it was the reason for a shutdown of multiple online city services. While they were able to prevent Rhysida from encrypting infected systems, he admitted there was still a possibility data was stolen.
"For non-IT people, folks at home, the best way to describe this would be robbers were in our house,” Ginther said. “They tried to lock us out from our own house, but we stopped them. They took some valuables, data, and we’re in the process of determining the extent, and their value, data, before we notify their owners.”
Yagemann suggested next steps that city employees, or potentially residents with city utility accounts, should take.
"If the leak turns out to be legitimate, it is likely to contain sensitive information that includes passwords and banking information," Yagemann said. "Impacted residents should be on the lookout for unusual activity with their bank accounts and should change their passwords on any accounts that may share the same password."
Cybersecurity watchdogs including Dark Web Intelligence and Ransom Look previously reported Rhysida’s offering on an onion site, commonly used on the dark web and only accessible with the specialized internet browser Tor. A screenshot from when Rhysida first launched the auction showed they claimed a potential buyer would get:
Maldet told NBC4 that there could be some truth to Rhysida's claim of hostage data even if the city stopped the attempted encryption. He said they were using a common tactic among ransomware groups called "double extortion."
"They would have exfiltrated sensitive data before initiating the encryption process," Maldet said. "Although Mayor Ginther has stated that they were able to halt the encryption, Rhysida may have already exfiltrated a significant amount of data by that time ... Rhysida is known to exaggerate the volume of data they claim to have stolen, so their claim of 6.5 terabytes might be inflated or include data from other sources or systems."
A ransomware attack typically encrypts a computer's hard drive, or vital servers in a business environment, and the infection can spread to other computers from the original host. The data on the infected drives becomes locked and inaccessible to the user. Unless they pay a ransom to the hacker, they can either lose their data permanently, or have it leaked publicly. In a successful attack, hackers restore a victim's data in exchange for large payments in cryptocurrencies like Bitcoin. Ransomware has made for a profitable business venture for hackers, sometimes even earning the sponsorship of governments like North Korea.
Rhysida first emerged in May 2023, according to cybersecurity company SentinelOne. On its onion site, the group created a victim support chat portal where it negotiates with victims trying to retrieve encrypted data. SentinelOne noted the hackers typically deploy their ransomware through phishing campaigns, which is consistent with the "internet website download" of a .zip file that Ginther described as how the city initially fell victim. He didn’t specify whether a city employee initiated the download and subsequent breach, or which department it originated in.
