COLUMBUS, Ohio (WCMH) -- If there's one thing the city needs to do as it navigates the aftermath of a data leak, cybersecurity experts are telling NBC4 Investigates it's finding "patient zero."
NBC4 Investigates is digging into what the City of Columbus ransomware attack means for people across Central Ohio and beyond.
As the days go by since the July 18 attack, more and more people fall into the victim category as their information turns up on the dark web. That data has included names, driver's license numbers and addresses, all stemming from a leak by the Rhysida ransomware group. The photos themselves -- pictures of the IDs -- are also stored in the stolen system.
Cybersecurity expert Connor Goodwolf has been poring through the data from the dark web, and told NBC4 he's found driver’s licenses, concealed carry licenses, passport cards and city and state work badges. While Goodwolf has zeroed in on the effects, SecureCyber CEO Shawn Waldman wants to know more about the cause. He told NBC4 in the City of Columbus' case, as soon as ransomware is downloaded it can quickly corrupt any system on the network.
"Think of it like a wildfire. As soon as the wind blows and blows oxygen into that fire, it will spread so fast," Waldman said. "The majority of networks that we encounter are not properly prepared to stop the wildfire from spreading. So before you know it, somebody opens an attachment, they get ransomware, and then all of their devices are encrypted over a short period of time."
While Columbus Mayor Andrew Ginther has told reporters that the city's IT staff were able to stop Rhysida from encrypting any systems with ransomware, NBC4 Investigates asked him a different question at a Saturday news conference: "Have you found patient zero?"
Waldman told NBC4 that’s the one device inside the city that was originally attacked by Rhysida. It’s a yes or no question, but the answer can have big implications on the status of the investigation, and if the city has the tools in place to uncover everything that was taken. Patient zero is the device where this all started: the computer, phone or any electronic device connected to the internet where a city employee interacted with the ransomware. Ginther has previously said Rhysida's attack started when someone downloaded a .zip file.
"You need to find the originating device. If you don't, then you risk potentially whatever happened, the ransomware or whatever the event was, you risk it happening again," Waldman said.
The SecureCyber CEO has investigated more than a dozen breaches, and said finding patient zero comes standard as a necessity.
"One of the first conversations that we're having with an organization, when we respond to an incident like this, is 'What logs do you have?' The only way for me to find patient zero is to have proper logging," Waldman said.
Logs are a record of how devices communicate with one another on the network, as well as what data is accessed. Waldman says in some cases, he’s seen attacks where the victim does not have the right logs in place, which means patient zero may not be found.
In the aftermath of the attack, NBC4 has asked Ginther multiple times if the city has found patient zero. On Aug. 13, the mayor said: "No. I think that all comes about throughout the investigation."
On Aug. 17, NBC4 asked again.
"I don't know if we have yet," Ginther replied. "As part of the ongoing investigation, and probably not know that for some time."
On Monday, the mayor's office said: “The patient zero question is still under investigation.”
Waldman told NBC4 it concerns him that the mayor won’t or can’t say if the city has found patient zero.
"If you don't have the right logs and you don't have the right things in the right place, it is possible that you would never know who patient zero is," Waldman said. "And in that case, really the only option that you really have to protect yourself is to almost reimage or reload every device because you don't know which one started it."
If an organization can't find patient zero, it may mean that the group will never know the extent of data that was accessed or stolen.
NBC4 asked Wednesday for an interview with the mayor and director of the Columbus Department of Technology. Neither had time.
