Ransomware Attack on City of Columbus, Ohio

The City of Columbus, Ohio, recently confirmed it was targeted in a ransomware attack by the Rhysida group on July 18. The city managed to halt the attack before significant damage occurred, but an ongoing investigation aims to determine the extent of data accessed. The incident was publicly acknowledged on July 19, with city officials announcing that certain systems were taken offline as a precaution, causing disruptions in multiple city services. Essential services like 911 and 311 remained operational.

Overview of the City of Columbus

The City of Columbus operates as a municipal government designed to serve its residents through various departments and initiatives. The city is structured into nine districts, each represented by a council member, and employs a hybrid at-large system. This governance structure facilitates local representation and decision-making, ensuring that the needs of diverse communities within the city are addressed effectively. Columbus is the capital city of Ohio and operates under the leadership of Mayor Andrew J. Ginther. It provides a variety of services to its residents, including business resources, zoning, and tax services.

Details of the Attack

On July 29, the city clarified that the attackers aimed to disrupt IT infrastructure and possibly deploy ransomware to demand payment. Although the city interrupted the attack before full deployment, authorities are still assessing potential data compromise. Mayor Andrew J. Ginther described the attackers as a sophisticated overseas group. Since the breach, the city has worked to restore its systems, with email services already back online. The breach reportedly occurred when an employee downloaded a file from a website, inadvertently allowing attackers access to the city’s systems.

About the Rhysida Ransomware Group

The Rhysida Ransomware Group is a new player in the cybercrime arena, first sighted in May 2023. This group primarily targets the education, healthcare, manufacturing, information technology, and government sectors. Rhysida ransomware is written in C++ and specifically targets the Windows Operating System. The ransomware is deployed through diverse methods, with one of the common approaches involving leveraging phishing campaigns. Once executed, the ransomware encrypts files using the ChaCha20 encryption algorithm and generates ransom notes as PDF documents.

Penetration and Impact

Rhysida employs a double extortion technique, stealing data from victim networks before encrypting it and threatening to publish it on the dark web unless a ransom is paid. The group has claimed responsibility for the attack on Columbus, listing the city on its dark web site and alleging it has stolen over 6.5 terabytes of data, including sensitive information like employee credentials and server logs. The city continues to collaborate with cybersecurity experts, the FBI, and Homeland Security to fully assess and address the situation.

• City of Columbus Official Website
• SOCRadar: Threat Profile - Rhysida Ransomware
• Logpoint: Uncovering Rhysida and Their Activities
• CYFIRMA: Weekly Intelligence Report