Ransomware has long been annoying american cities. It may seem like another typical ransomware attack that hit the city of Columbus, Ohio, last July. However, the city’s response to this attack was anything but, and it has Cyber Security and legal experts across the country question the motives behind the incident.
Connor Goodwolf (legal name David Leroy Ross) is an IT consultant specializing in plumbing. dark web as part of his job. “I track dark web-type crimes, criminal organizations and things like that. Telegram CEO was arrested for this crime,” Goodwolf said.
So when word got out that his hometown of Columbus had been breached, Goodwolf did what he always did: he searched online. It didn’t take him long to discover what the hackers had.
“This isn’t the biggest breach, but it’s one of the most impactful breaches I’ve ever seen,” Goodwolf said.
In some ways, he described it as a typical breach, with personally identifiable information, protected health information, Social Security Number and driver’s license photos were exposed. However, because so many databases were compromised, it was more extensive than other attacks. According to Goodwolf, the hackers compromised multiple databases from the city, police, and prosecutor’s offices. They included arrest records and sensitive information about minors and domestic violence victims. He said some of the compromised databases dated back to 1999.
Goodwolf found more than three terabytes of data, and it took more than eight hours to download.
“The first thing I saw was the prosecutor’s database, and I was like ‘oh my gosh’ this is a domestic violence victim. When it comes to domestic violence victims, we need to protect them the most because they’ve been a victim once, and now they’re being exposed again,” he said.
Goodwolf’s first action was to contact the city to let them know how serious the breach was, as what he saw contradicted official statements. At a press conference on August 13, Columbus Mayor Andrew Ginther said, “The personal data the threat actor posted to the dark web was encrypted or corrupted, so much of the data the threat actor obtained is unusable.”
But what Goodwolf found did not support that view. “I tried to contact the city multiple times with multiple departments, but was ignored,” he said.
Mandiant is owned by Google, as are many other top cybersecurity companieshas been continuously monitored the rise of ransomware attacksBoth in popularity and severity, and the rise of the Rhysida Group behind the attack on Columbus, has become well known in the past year.
The Rhysida group has claimed responsibility for the attack. While little is known about the cyber gang, Goodwolf and other security experts say it appears to be state-sponsored and based in Eastern Europe, may be related to RussiaGoodwolf said these ransomware gangs are “professional operations” with employees, paid leave, and public relations teams.
“They have increased their attacks and targets since last fall,” he said.
United States Government Cybersecurity and Infrastructure Security Agency issued a newsletter about Rhysida last November.
Goodwolf said that since no one in the city responded, he went to local media and shared the data with journalists to get the word out about the severity of the breach. And that’s when he heard from the city of Columbus, in the form of a lawsuit and a temporary restraining order preventing him from releasing more information.
The city defended its response in a statement to CNBC:
“The City initially sought this injunction, which was granted by the Court, to prevent the release of sensitive and confidential information, potentially including the identities of undercover police officers, that would jeopardize public safety and criminal investigations.”
The city’s 14-day temporary restraining order against Goodwolf has expired, and the city now has a preliminary injunction and an agreement with Goodwolf not to disclose further data.
“It should be noted that the Court’s order does not prohibit the defendant from discussing the data breach or even describing what type of data was disclosed,” the city’s statement added. “It simply prohibits the individual from distributing the stolen data posted on the dark web. The city continues to work with federal agencies and cybersecurity experts to respond to this cyber intrusion.”
Meanwhile, the mayor had to make a mea culpa at a later press conference, saying his initial statements were based on the information he had at the time. “That was the best information we had at the time. Obviously, we found out that it was incorrect information and I have to take responsibility for that.”
Recognizing that the level of exposure to residents was greater than initially anticipated, the city is offering free credit monitoring for two years from Experian. This includes anyone who has had contact with the city of Columbus through an arrest or other business activity. Columbus is also working with Legal Aid to see what additional protections are needed for victims of domestic violence who may have been violated or need help with a civil protection order.
So far, the city has not paid the hackers, who demanded a $2 million ransom.
‘He is not Edward Snowden’
Those who study cybersecurity law and work in the field expressed surprise when Columbus filed a civil lawsuit against the researcher.
“Lawsuits against data security researchers are rare,” said Raymond Ku, a law professor at Case Western Reserve University. In the rare cases where they do occur, he said, it’s usually when the researcher allegedly reveals how a vulnerability has been or can be exploited, which then allows others to take advantage of it as well.
“He’s not Edward Snowden,” said Kyle Hanslovan, CEO of cybersecurity firm Huntress, who described himself as concerned about the city of Columbus’ response and what it could mean for future breaches. Snowden was a government contractor who leaked classified information and faced criminal charges, but considered himself a whistleblower. Hanslovan said Goodwolf was a good Samaritan who found the breached data on his own.
“In this case, it seems like we just silenced someone who, as far as I know, appears to be a security researcher who did the bare minimum and confirmed that the official statements that were made were not true. This cannot be an appropriate use of the courts,” Hanslovan said, predicting that the case would be quickly overturned.
Columbus City Attorney Zach Klein said at a press conference in September. that the case “is not about free speech or whistleblowing. This is about downloading and disclosing stolen criminal investigative records.”
Hanslovan worries about the ripple effect of cybersecurity consultants and researchers being afraid to do their jobs for fear of being sued. “The bigger story here is that we’re seeing the emergence of a new tactic” to deal with hackers where individuals are being silenced, and that shouldn’t be welcomed, he said. “Silence of any opinion, even for 14 days, can be enough to prevent something credible from coming to light, and that terrifies me,” Hanslovan said. “That voice needs to be heard. As we see larger cybersecurity incidents happen, I worry that people will be more interested in bringing them to light.”
Scott Dylan, founder of UK-based venture capital firm NexaTech Ventures, also said the city of Columbus’s actions could have a negative impact on the cybersecurity industry.
“As the field of cyber law continues to evolve, this case is likely to be mentioned in future discussions about the role of researchers following data breaches,” Dylan said.
The legal framework must change to keep up with the sophistication of both cyberattacks and the ethical issues they raise, and Columbus’ approach is a mistake, he said.
Meanwhile, the legal process continues for Goodwolf. Although Columbus and Goodwolf reached an agreement last week to release information, the city is still suing him for damages in a civil lawsuit that could reach $25,000 or more. Goodwolf is representing himself in negotiations with the city, although he said he has an attorney on hand if needed.
Some residents have filed a class-action lawsuit against the city. Goodwolf said 55% of the compromised information was sold on the dark web, while 45% was available to anyone with the skills to access it.
Dylan argues that the city is taking a huge risk, even if its actions are legally defensible, by making it appear as an attempt to silence discussion rather than encourage transparency. “It’s a strategy that could backfire, both in terms of public trust and future litigation,” he said.
“I hope the city realizes the mistake of filing a civil lawsuit and the implications are not just for safety,” Goodwolf said, noting that Intel is spending billions of dollarswith significant federal government supportto build chip manufacturing facilities in the Columbus suburbs. In recent years, the city has positioned itself as a new tech hub in the Midwest’s “Silicon Heartland” and is attacking white hat and cybersecurity researchers, he said, could cause some in the tech industry to reconsider the position.
