A judge in Ohio has issued a temporary restraining order against a security researcher who presented evidence that a recent ransomware attack on the city of Columbus scooped up reams of sensitive personal information, contradicting claims made by city officials.
The order, issued by a judge in Ohio’s Franklin County, came after the city of Columbus fell victim to a ransomware attack on July 18 that siphoned 6.5 terabytes of the city’s data. A ransomware group known as Rhysida took credit for the attack and offered to auction off the data with a starting bid of about $1.7 million in bitcoin. On August 8, after the auction failed to find a bidder, Rhysida released what it said was about 45 percent of the stolen data on the group’s dark web site, which is accessible to anyone with a TOR browser.
Columbus Mayor Andrew Ginther said on August 13 that a “breakthrough” in the city’s forensic investigation of the breach found that the sensitive files Rhysida obtained were either encrypted or corrupted, making them “unusable” to the thieves. Ginther went on to say the data’s lack of integrity was likely the reason the ransomware group had been unable to auction off the data.
Shortly after Ginther made his remarks, security researcher David Leroy Ross contacted local news outlets and presented evidence that showed the data Rhysida published was fully intact and contained highly sensitive information regarding city employees and residents. Ross, who uses the alias Connor Goodwolf, presented screenshots and other data that showed the files Rhysida had posted included names from domestic violence cases and Social Security numbers for police officers and crime victims. Some of the data spanned years.
On Thursday, the city of Columbus sued Ross for alleged damages for criminal acts, invasion of privacy, negligence, and civil conversion. The lawsuit claimed that downloading documents from a dark web site run by ransomware attackers amounted to him “interacting” with them and required special expertise and tools.
Countless similiar situations like this is the reason why I find it difficult to help people/groups that display zero-sum behaviour because even if you help them there’s no telling if they’ll attack you in return
I’d rather spend my time helping people/organizations that are already trustworthy or have proven to be reciprocal towards others regardless of status or wealth
He wasn’t helping them. He was calling out their bullshit. Which is the way it works with people more interested in creating an illusion of competence than pursuing actual competence. They are more interested in hiding issues than fixing them, so someone calling out issues is more of a problem to them than the issues themselves.
I’m pretty wary of helping even those organizations. It starts to become apparent when the people in charge are only really in it for their own clout, or they’re afraid of losing power over the organization, or even worse they are just using the organization for perks and socializing.
I find it’s about size. A small organization can be good or bad, depending on the members. At some point, you reach a size where the orgs focus shifts to perpetuating itself
Is the name of this group, Rhysida, a play on the name Jack Rhysider? The host of the Darknet Diaries podcast?
Why isn’t this a criminal investigation? I see fraud, lyin to the victims, a coverup, harassing a whistleblower, and abusing government resources for personal reasons. Do they not have anti-SLAPP laws?
Honestly, I don’t think they have anti-SLAPP, but I could be wrong. Only did about five minutes of research, and couldn’t find anything on that
On Thursday, the city of Columbus sued Ross for alleged damages for criminal acts, invasion of privacy, negligence, and civil conversion. The lawsuit claimed that downloading documents from a dark web site run by ransomware attackers amounted to him “interacting” with them and required special expertise and tools.
Maybe Ohio should find a better place to store their braindead citizens outside of a court bench rather than inside.
Missouri, maybe? The governor there did the same thing to a newspaper reporter in St. Louis a couple years back.
Meanwhile Columbus had 82 murders in 2009 and 206 in 2021. 599 rapes in 2009 and 1005 rapes in 2022. 4192 car thefts in 2009, 7293 in 2022.
What are the per Capita numbers because it’s a pretty useless comparison otherwise.
In any case, I doubt the population doubled the capita count.
Streisand strikes again.
Komissars doing lords work, for your own good, boy
The Mayor should just go ahead and resign. Take the city attorney with him while he’s at it.
What a bunch of asshats.
Lol this guy is going to get an apology and the city is going to be wearing the egg on their face.
Horrible optics. What in the world are they even thinking?
I’m from there so I can say this, Columbus is a shit-hole.
I like the board game community there. Plus that fried chicken place by the convention center. That’s about it.
Authoritative knee jerk with a bit of ignorance thrown in.
As an elder Millennial, this type of response is all I’ve ever known from Baby Boomers.
deleted by creator
These are people writing laws about technology. They are absolute idiots.
They also write our drug laws.
How did we all learn about drugs? D.A.R.E.
This is what you get for doing good. Next time, don’t try to help them. Just let them get fucked.
The problem is, they aren’t the ones that’d get fucked. It’s the people they’re responsible for that’d end up getting screwed over.
If nothing else they should have tried to report it anonymously
From what little we know, the guy had every right to do things the way he did, and posting an immediate reply to the Mayors lie was my re than valid
He deserves way more than an apology. The mayor lied about the impact and then got a restraining order granted without David knowing about it or having legal representation. People really think the “dark web” is some secret magical interspace and not just one tor-browser download away.
Wouldn’t it be unenforcable if someone didn’t know about it?
They delivered the order after the decision was made. He didn’t know about the proceedings that led to the order.
Oh that’s completely fine.
Not even that complex anymore, just download brave and “open private window with tor”. Then go to the website and download the data.
Downloading a “tor browser” always sound more “hacker” than it is these days.
Does that work with mobile app?
I think it’s desktop only, but I rarely use the mobile brave app.
The ransomware group has a stupid business plan there. A city govt isn’t gonna pay for the data. There’s no guarantee all copies would be deleted if they pay, and the govt suffers no real consequences if they just do nothing. If they paid, it would just make them an attractive target for further attacks; you know they aren’t going to fix all their security vulnerabilities. And then they tried to auction the data… But they have to actually release it eventually otherwise the ransom is toothless, so potential buyers just have to wait for it to get released for free, which is what happened.