{"id":272,"date":"2024-09-17T10:00:00","date_gmt":"2024-09-17T10:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=272"},"modified":"2024-09-17T10:00:00","modified_gmt":"2024-09-17T10:00:00","slug":"ransomware-whistleblower-columbus-could-have-avoided-its-mistakes","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=272","title":{"rendered":"Ransomware whistleblower: Columbus could have avoided its mistakes"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

A ransomware attack on Columbus, Ohio, has drawn international attention and condemnation for how city leaders mismanaged their response to the incident.<\/p>\n

First, the mayor\u2019s office erroneously downplayed the nature and impact of what it initially called a system \u201cabnormality.\u201d Then, the city obtained a gag order on a local cybersecurity expert who proved the attackers were ransomware threat actors who stole vast amounts of sensitive personal data on city employees and vulnerable residents.<\/p>\n

The episode has left the 34th largest city in the US with a black eye and facing class-action lawsuits. Columbus has also earned the scorn of First Amendment experts who claim the city\u2019s efforts to suppress the whistleblower\u2019s information violate the US Constitution\u2019s right to free speech.<\/p>\n

Moreover, cybersecurity experts have decried the city\u2019s efforts to muzzle one of their own. Scores of infosec professionals have staunchly defended the whistleblower<\/a>, without whom, they say, misguided citizens might still believe their personal information is safe. Nonetheless, the whistleblower still faces a civil lawsuit that could cost him at least $25,000, an outcome he believes would benefit no one.<\/p>\n

Timeline of events around the Columbus ransomware attack<\/h2>\n

The following timeline of events surrounding the attack clarifies how quickly the city\u2019s response to the incident devolved into a series of errors that left leaders with few face-saving options.<\/p>\n

July 18<\/strong>: Cybercriminal gang Rhysida attacked<\/a> the City of Columbus with ransomware. Four days later, Columbus Mayor Andrew Ginther\u2019s office released a statement saying the city\u2019s technology department \u201cfound evidence of an abnormality in its system on July 18,\u201d prompting the city to take its systems offline.<\/p>\n

July 31<\/strong>: Two officers with the Columbus Division of Police came forward saying their bank accounts were hacked, and the city began offering free credit monitoring to its employees the next day. (The police officers subsequently filed<\/a> a class-action lawsuit against the city).<\/p>\n

Aug. 1<\/strong>: Rhysida demanded<\/a> nearly $2 million ransom in Bitcoin for the 6.5 terabytes of data it claimed it stole from the city of Columbus and posted sample data on its leak site to back up its claims.<\/p>\n

Aug. 7<\/strong>: Rhysida announced it had published about 45% of the data and threatened to release more if the city didn\u2019t pay the ransom by the following morning. Meanwhile, the mayor\u2019s office said there is no evidence that data has been published and claimed the city never received a ransom demand.<\/p>\n

Aug. 13<\/strong>: In a fact sheet shared with the press and during a press conference, Mayor Ginther claimed<\/a> the stolen data backups published by Rhysida were encrypted or corrupted and thus not readable.<\/p>\n

At that point, a local cybersecurity expert who goes by the name Connor Goodwolf, but whose legal name is David Leroy Ross Jr., contradicted the mayor, claiming that the data in Rhysida\u2019s dump exposed easily readable data on a significant portion of Columbus residents. Those exposed included anyone who swiped their driver\u2019s license at city hall in the past ten years, he said, as well as anyone who has dealt with the Columbus City Attorney\u2019s Prosecuting Office in any way, including victims, suspects, or those subpoenaed by the court or law enforcement.<\/p>\n

Aug. 16<\/strong>: The city expanded free credit monitoring to all residents impacted by the cyberattack.<\/p>\n

Aug. 17<\/strong>: Ginther confirmed that \u201cpersonally identifiable information\u201d was leaked on the dark web, including information on criminals, victims of crime, and witnesses from the city prosecutor\u2019s office. Ginther said more PII<\/a> may have been accessed and could be published on the dark web.<\/p>\n

Aug. 19<\/strong>: Goodwolf informed the press that Rhysida had hacked a second database that included thousands of incident reports from the Columbus Division of Fire and information from people who visited any of the four city buildings since 2006.<\/p>\n

Aug. 20<\/strong>: A second class-action lawsuit was filed<\/a> against the city, representing city police and firefighters.<\/p>\n

Aug. 28<\/strong>: Goodwolf told the press that information from the Columbus police crime MATRIX database was available on the dark web. This database represents witness, victim, and suspect information from any police report in the past ten years, as well as the names and details of undercover officers.<\/p>\n

The city filed a civil lawsuit<\/a> against Goodwolf, accusing him of illegally downloading and disseminating data stolen from the city\u2019s IT network and leaked by the Rhysida ransomware gang. What bothered the city the most is that Goodwolf shared some of the stolen data he retrieved from Rhysida\u2019s website with the media. According to the complaint, the media \u201cused the stolen data to go door-to-door and otherwise contact individuals whose names were\u201d in the stolen data. The city argued that only experts with advanced skills can navigate and interact with cybercriminals on the dark web, which Goodwolf and cybersecurity experts have vehemently denied.<\/p>\n

Moreover, in its complaint, the city said Goodwolf is \u201cthreatening publicly to disclose and disseminate the City\u2019s stolen data to the local community in the form of a website he will create.\u201d The city wants Goodwolf to pay damages greater than $25,000, an amount to be determined by jury trial, due to what it calls the \u201cirreparable harm\u201d and \u201cwidespread concern throughout the Central Ohio region\u201d caused by Goodwolf\u2019s disclosure of the data to the media.<\/p>\n

The city also successfully requested<\/a> a temporary restraining order (TRO) to bar Goodwolf from accessing, downloading, or disseminating the stolen data.<\/p>\n

Sept. 9:<\/strong> During the first briefing the Columbus City Council members received on the ransomware incident, the city\u2019s technology officer, Sam Orth, said<\/a> that at that point, 23% of the city\u2019s computer systems were still down, while another 7% had been only partially restored. He admitted the criminals stole PII related to hundreds of thousands of people, including city residents and employees, too many, he said, to notify individually. After briefing the Council, Orth fled the room through an emergency-only balcony exit to avoid the media.<\/p>\n

Sept. 11:<\/strong> The city reached an agreement<\/a> on a preliminary injunction with Goodwolf, replacing the earlier restraining order. Under this injunction, Goodwolf is prohibited from sharing stolen city data with any party, aside from the city itself, including personal information such as Social Security numbers, driver\u2019s license numbers, bank account information, credit card numbers, and other sensitive materials. He was also forbidden from disseminating any city data from the city\u2019s MATRIX prosecutor and MATRIX Crime databases until the final resolution of his case.<\/p>\n

Goodwolf: \u2018All this could have been prevented\u2019<\/h2>\n

Goodwolf says he was caught off guard by the city\u2019s lawsuit. \u201cAt no time did they even attempt to reach out before filing a lawsuit in the TRO,\u201d he tells CSO.<\/p>\n

\u201cThe tipping point was my going to the news media regarding the contents of the crime database, even though the prosecutor\u2019s database was the first database I shared with the media, which had names of domestic violence victims and crimes involving minors,\u201d he adds. \u201cThe line was crossed with the crime database, which contained names of officers, even though, again, crimes regarding victims were already in the prosecutor\u2019s database. I don\u2019t know where the outrage came from in the city because I had been talking about the breach starting on the 13th through the 29th when the TRO was filed.\u201d<\/p>\n

City Attorney Zach Klein confirmed that the crime database files Goodwolf shared with the media triggered the lawsuit. He accused Goodwolf of going \u201cto the next level\u201d by reporting that a Columbus police database was exposed. Klein said<\/a>, \u201cWho else is he disclosing that information to? Friends? Family? This is personal, confidential information. This is investigatory records. And in order to protect victims, in order to protect witnesses, in order to protect our fine men and women of the Division of Police, we filed this TRO.\u201d<\/p>\n

Goodwolf says that he shared the stolen files with the media solely so they could conduct due diligence to confirm the validity of the data. He took steps to protect the data by asking reporters to agree not to report any information they received. \u201cAll this could have been prevented because if I had the means to contact someone there who wasn\u2019t just a lower-ranking worker, then I wouldn\u2019t have had to go to the media,\u201d he says.<\/p>\n

Goodwolf says he repeatedly tried to tell the city about the breach but met with silence. \u201cI even sent screenshots of my call logs to all the local reporters,\u201d he says. \u201cI was like, dude, I tried. They [the reporters] even requested voicemail<\/a>\u201d as proof of his attempt to inform the city. (Klein said he was never made aware by his office employees that Goodwolf tried to contact him.)<\/p>\n

What motivated Goodwolf most to reach out to the media was \u201cthe freaking fact sheet\u201d the mayor issued, which was \u201cjust full of lies,\u201d he says, particularly Ginther\u2019s contention that the stolen data was encrypted or corrupted. After Goodwolf disproved this assertion with actual data, representatives from Dinsmore, the law firm the city brought in to help handle the breach fallout, asked him how he achieved what they could not.<\/p>\n

Goodwolf says, \u201cSome of [Dinsmore people] said, \u2018I tried downloading the data, and it was corrupted. What am I doing wrong?\u2019 I\u2019m like, oh, shit. Now I understand. When I download files from the dark web, I use the command line. I\u2019m not necessarily using the Tor browser when downloading big payloads. Anything over a hundred to 200 gigs has a risk of stopping and restarting it.\u201d<\/p>\n

The Columbus mayor\u2019s office tells CSO that \u201cDinsmore is a nationally renowned firm that has worked on thousands of cybersecurity attacks, including high-profile cases. Since August 13, we have brought on additional resources to support our investigation. The findings of our investigation will be disclosed via an official report in October.\u201d<\/p>\n

It\u2019s worth noting that the mayor\u2019s office also confirmed that the city lacked cybersecurity insurance during the Rhysida attack. Cyber insurance policies<\/a> typically require policyholders to contact the underwriter first after learning of an incident, whereupon the insurer will bring in a team of experts to conduct the investigation and incident response.<\/p>\n

Experts: \u2018The city of Columbus looks really dumb right now\u2019<\/h2>\n

Goodwolf has been hailed as a whistleblowing hero by top practitioners in the infosec community. On Sept. 10, dozens of the world\u2019s top cybersecurity professionals signed a letter<\/a> to City Attorney Klein saying his lawsuit, which \u201cseeks to penalize Mr. Goodwolf for allegedly disseminating data stolen by the Rhysida ransomware group, is misguided and counterproductive.\u201d<\/p>\n

They further point out that the \u201cactual criminals in this case are a ransomware gang who call themselves Rhysida\u201d and urged the city to \u201crefocus its efforts on mitigating these risks, informing citizens about the true nature of the breach, and taking proactive steps to enhance the city\u2019s information security posture.\u201d<\/p>\n

Even local law enforcement seems to be on Goodwolf\u2019s side. \u201cThe community at large has been extremely supportive to the point where I\u2019ve even had former police officers approach and tell me, if I do get fined, they\u2019ll throw $5,000 in the pot and pay the city,\u201d Goodwolf says.<\/p>\n

\u201cThe city of Columbus looks really dumb right now,\u201d Michael Hamilton, founder and CISO at Critical Insight and former CISO of Seattle, tells CSO. \u201cIt looks like they were trying to evade any transparency here. And that always makes it worse. I think part of the implication here is that they can treat him as a bad guy, and the perception they create might lessen the pressure on them. But slapping the guy with a restraining order just makes the city look worse.\u201d<\/p>\n

\u201cI think this was a very ham-fisted, clumsy approach,\u201d Richard Forno, assistant director of the Cybersecurity Institute at the University of Maryland, Baltimore County, tells CSO. \u201cThey just stepped on both feet and tripped over themselves and took an incident that was bad enough and added this level of bad optics to it that got a lot of bad publicity and made the situation even worse.\u201d<\/p>\n

Attorneys: Gagging Goodwolf violates the First Amendment<\/h2>\n

In announcing the city\u2019s lawsuit and gag order against Goodwolf, City Attorney Klein said the legal actions were \u201cnot about free speech, but rather about stopping him from accessing the stolen data.\u201d<\/p>\n

However, Aaron Mackey, free speech and transparency litigation director at the Electronic Frontier Foundation, told local press outlets<\/a> that the lawsuit \u201cclearly violates [Goodwolf\u2019s] First Amendment rights to make sure that the public understands and is informed on this very significant privacy breach that is the result of what sounds like the city\u2019s own inaction or inability to properly secure its data. Rather than thank this individual for coming forward and actually explaining to the public that this is a significant problem, the city has resulted to basically violating his First Amendment rights and claiming that what he\u2019s done is some sort of illegal act.\u201d<\/p>\n

One of the nation\u2019s leading First Amendment experts, Bob Corn-Revere, now chief counsel for the Foundation for Individual Rights and Expression, agrees with Mackey, calling the initial gag order a classic case of prior restraint, which courts always disfavor. \u201cThis gag order is all-encompassing,\u201d he tells CSO. \u201cIt prohibits accessing, disclosing, and possessing anything involving this data breach. And it seems like that\u2019s an awfully broad restriction for someone who\u2019s simply trying to report on a matter that the city appears not to want to publicize.\u201d<\/p>\n

The city attorney\u2019s office responded to this criticism by pointing to the second agreement, the preliminary injunction, that Connor signed. \u201cMr. Goodwolf and the City signed an agreement on a preliminary injunction last week that protects sensitive data exposed in the cyber intrusion from being disseminated publicly while also allowing him to maintain a dialogue with the City regarding the breach. Like the temporary restraining order formerly in place, this new agreement has zero impact on Goodwolf\u2019s ability to discuss the extent of the cyber intrusion or even describe what kinds of data were exposed, including to members of the media.\u201d<\/p>\n

However, while Corn-Revere thinks the preliminary injunction is better, he believes it still raises serious First Amendment issues. \u201cThis is certainly better than the blanket prior restraint that existed before,\u201d he says. \u201cIt makes an attempt to be more narrowly tailored. But it is still troubling that it gives the city prior review and veto power over anything he wants to report publicly.\u201d<\/p>\n

What\u2019s next for Goodwolf?<\/h2>\n

Despite what he has been through, Goodwolf is optimistic the city will drop its lawsuit. He has an attorney on standby, and EFF is waiting in the wings to help if need be.<\/p>\n

\u201cUsually, when it comes to civil cases, they get settled before they go to trial,\u201d he says. \u201cIt\u2019s more than likely, best guess here, that the city will drop the case.\u201d<\/p>\n

He intends to move forward with the website that the city objected to, a searchable database akin to Troy Hunt\u2019s HaveIBeenPwned<\/a>. This database will allow Columbus residents to determine whether their data was implicated in the breach and what information was exposed. However, this database would only encompass 45% of the total data that Rhysida couldn\u2019t sell and dumped on the web.<\/p>\n

\u201cNow, if the city wants to add to that data pile, if they know a certain database was also exfiltrated, that would be even more powerful,\u201d he says. \u201cI\u2019ll add that. I want to get everyone in a room and talk them through everything. They\u2019re not all tech-savvy, so I\u2019ll have to be diplomatic and make sure I walk people through and explain everything.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

A ransomware attack on Columbus, Ohio, has drawn international attention and condemnation for how city leaders mismanaged their response to the incident. First, the mayor\u2019s office erroneously downplayed the nature and impact of what it initially called a system \u201cabnormality.\u201d Then, the city obtained a gag order on a local cybersecurity expert who proved the […]<\/p>\n","protected":false},"author":0,"featured_media":266,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-272","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/272"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=272"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/272\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/266"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=272"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=272"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=272"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}