The personal data of approximately 500,000 residents of Columbus, Ohio, was exposed following a ransomware attack on the city’s network systems by Rhysida, a relatively new but increasingly notorious cybercriminal organization. Personal information including bank account details and Social Security numbers were taken by the cybercriminal group, who have previously targeted the Department of Health and the Chilean Army. The full extent of the incident was revealed when a data breach notification was filed by the City on October 7 with the Office of the Attorney General for the state of Maine, indicating it had affected 500,000 individuals, including 24 Maine residents.
A letter sent to those affected stated that the data involved could include personal information, such as first and last names, dates of birth, addresses, bank account information, driver’s license numbers, and Social Security numbers. Columbus Mayor Andrew Ginther confirmed the data breach in August but stated that most of the data was corrupted or encrypted. However, security researcher David Leroy Ross disputed these claims.
Ross said he accessed the data leaked by Rhysida on the dark web and shared samples with media outlets, alleging that the stolen information was unencrypted and included the personal details of city employees, residents, and vulnerable individuals like domestic violence victims. The City of Columbus filed a lawsuit against Ross, alleging that he threatened to share the city’s stolen data with unauthorized third parties. A Franklin County judge issued a temporary restraining order preventing Ross from disseminating the information.
The city administration said it was in the process of identifying individuals whose personal information was potentially exposed and would provide notice and additional guidance to all who are impacted in the coming weeks. On July 18, 2024, the City of Columbus discovered an attempt to disrupt its IT infrastructure, possibly to deploy ransomware and solicit a ransom payment. “Once the threat actor activity was identified, the city immediately engaged the Department of Homeland Security to further protect its systems and data,” the City of Columbus said in a statement on July 29.
Clients of the City of Columbus received a notice on September 12 informing them that the threat actor’s activity had been disrupted but that “the incident allowed the threat actor to view and access certain sensitive personal information” including City employee account numbers and positions, City employment and payroll records, and social security numbers.
Columbus ransomware attack exposes personal data
The Rhysida ransomware group, responsible for the Columbus attack, is a relatively new player in the cybercriminal landscape but has rapidly gained notoriety for its aggressive tactics and high-profile targets.
First observed in May 2023, Rhysida operates as a ransomware-as-a-service (RaaS), employing double extortion techniques to pressure victims into paying ransoms. The group not only encrypts victims’ data but also threatens to publish it on the dark web if their demands are not met. Rhysida is known to use various methods to infiltrate systems, including spear-phishing emails with malicious attachments, exploiting unpatched vulnerabilities, and attacking remote desktop protocols (RDP) and virtual private networks (VPNs).
Beyond the City of Columbus, Rhysida has also targeted educational and government agencies. In May 2024, they breached the Chilean Army’s systems, leaking sensitive military documents. In August 2023, the Department of Health and Human Services issued an alert after Rhysida attacked several healthcare providers and hospitals.
The group’s activities have drawn comparisons to the Vice Society ransomware group, with some security experts suggesting that Rhysida may be a rebrand or offshoot. Both groups share similar tactics and have been known to target educational and healthcare institutions. “The timelines of Vice Society and Rhysida overlap, just like their tactics.
There hasn’t been much news about Vice Society since August 2023, when researchers realized the connection between the groups,” said cybersecurity firm Barracuda in a blog post about the ransomware group. “The problem with names like Vice Society and Rhysida is that they’re just temporary brands for clusters of individual threat actors who can easily move from one to another. The threat clusters behind the brands are always active, even when the brand shuts down or simply fades out,” it added.