[German]An unpleasant development in the USA, where the city of Columbus in Ohio was the victim of a ransomware attack. The mayor tried to play down the case, claiming that the data was useless to criminals. A security researcher looked at the data leaked by the ransomware gang and proved that the data was sensitive. The city sued the security researcher and he was granted a temporary injunction prohibiting him from reporting.
Ransomware attack on the city of Columbus
The city of Columbus, located in the US state of Columbus, was the victim of a ransomware attack on July 18, 2024. In the process, 6.5 terabytes of city data were accessed. The Rhysida ransomware group claimed responsibility for the attack and offered the data in an auction with a starting bid of around 1.7 million dollars in Bitcoin. However, there were no bidders at the auction, so Rhysida published around 45 percent of the stolen data on its dark web page on August 8, 2024. This is freely accessible via a TOR browser.
Andrew Ginther, the mayor of the city of Columbus, spoke of a "breakthrough" in the forensic investigation of the ransomware incident on August 13, 2024. The investigation revealed that the sensitive files obtained by Rhysida were either encrypted or corrupted. The data was therefore "unusable" for the ransomware group, and the lack of integrity of the data was probably the reason for the ransomware group's failed auction.
Security researcher David Leroy Ross went to the Rhysida group's leak page via TOR browser and looked at the data posted there. He found that the data was intact and contained highly sensitive information about city employees and residents. Ross, who uses the pseudonym Connor Goodwolf, provided local news outlets with screenshots and other evidence showing that the files posted by Rhysida were sensitive material. There were names from domestic violence cases and social security numbers of police officers and crime victims in the records. Some of the records spanned years.
City sues the security researcher
On August 29, 2024, the city of Columbus sued the security researcher for his reporting. The lawsuit seeks damages for criminal acts, invasion of privacy, negligence and "theft" (referred to as civil conversion). The lawsuit alleged that downloading the documents from the Rhysida Dark website amounted to a hack because it required specialized knowledge and tools.
The lawsuit also addresses the fact that security researcher Ross provided information about the details that is not readily available to others. In a press conference (available on YouTube), the city's attorney, Zach Klein, announced the motion for a temporary restraining order against the security researcher regarding the public disclosure of the information.
"This is not about free speech or whistleblowing," the attorney said. "This is about downloading and sharing stolen criminal records. This is about getting [Ross] to stop downloading and sharing stolen criminal records to protect public safety."
A judge in Franklin County, Ohio, has issued a temporary injunction against the security researcher. This means that he is no longer allowed to publicly report on the data. ArsTechnica, which took up the case here, tried to obtain statements from the city and the lawyer for the plaintiff. The Columbus City Attorney's office did not respond to emailed questions, but released the following statement:
The lawsuit filed by the City of Columbus pertains to stolen data that Mr. Ross downloaded from the dark web to his own, local device and disseminated to the media. In fact, several outlets used the stolen data provided by Ross to go door-to-door and contact individuals using names and addresses contained within the stolen data. As has now been extensively reported, Mr. Ross also showed multiple news outlets stolen, confidential data belonging to the City which he claims reveal the identities of undercover police officers and crime victims as well as evidence from active criminal investigations. Sharing this stolen data threatens public safety and the integrity of the investigations. The temporary restraining order granted by the Court prohibits Mr. Ross from disseminating any of the City's stolen data. Mr. Ross is still free to speak about the cyber incident and even describe what kind of data is on the dark web—he just cannot disseminate that data.
The security researcher in question did not comment to ArsTechnica. The sticking point in the current case was probably the direct dissemination of the material downloaded from the darknet website.
