A judge in Ohio has issued a temporary restraining order against a security researcher who presented evidence that a recent ransomware attack on the city of Columbus scooped up reams of sensitive personal information, contradicting claims made by city officials.
The order, issued by a judge in Ohio’s Franklin County, came after the city of Columbus fell victim to a ransomware attack on July 18 that siphoned 6.5 terabytes of the city’s data. A ransomware group known as Rhysida took credit for the attack and offered to auction off the data with a starting bid of about $1.7 million in bitcoin. On August 8, after the auction failed to find a bidder, Rhysida released what it said was about 45 percent of the stolen data on the group’s dark web site, which is accessible to anyone with a TOR browser.
Columbus Mayor Andrew Ginther said on August 13 that a “breakthrough” in the city’s forensic investigation of the breach found that the sensitive files Rhysida obtained were either encrypted or corrupted, making them “unusable” to the thieves. Ginther went on to say the data’s lack of integrity was likely the reason the ransomware group had been unable to auction off the data.
Shortly after Ginther made his remarks, security researcher David Leroy Ross contacted local news outlets and presented evidence that showed the data Rhysida published was fully intact and contained highly sensitive information regarding city employees and residents. Ross, who uses the alias Connor Goodwolf, presented screenshots and other data that showed the files Rhysida had posted included names from domestic violence cases and Social Security numbers for police officers and crime victims. Some of the data spanned years.
On Thursday, the city of Columbus sued Ross for alleged damages for criminal acts, invasion of privacy, negligence, and civil conversion. The lawsuit claimed that downloading documents from a dark web site run by ransomware attackers amounted to him “interacting” with them and required special expertise and tools.
Why isn’t this a criminal investigation? I see fraud, lyin to the victims, a coverup, harassing a whistleblower, and abusing government resources for personal reasons. Do they not have anti-SLAPP laws?
Honestly, I don’t think they have anti-SLAPP, but I could be wrong. Only did about five minutes of research, and couldn’t find anything on that
Komissars doing lords work, for your own good, boy
Lol this guy is going to get an apology and the city is going to be wearing the egg on their face.
Horrible optics. What in the world are they even thinking?
Authoritative knee jerk with a bit of ignorance thrown in.
As an elder Millennial, this type of response is all I’ve ever known from Baby Boomers.
As an Xer you aren’t alone. They have ALWAYS acted this way the moment they are questioned. Cunts the lot.
I’m from there so I can say this, Columbus is a shit-hole.
I like the board game community there. Plus that fried chicken place by the convention center. That’s about it.
These are people writing laws about technology. They are absolute idiots.
They also write our drug laws.
How did we all learn about drugs? D.A.R.E.
He deserves way more than an apology. The mayor lied about the impact and then got a restraining order granted without David knowing about it or having legal representation. People really think the “dark web” is some secret magical interspace and not just one tor-browser download away.
Wouldn’t it be unenforcable if someone didn’t know about it?
Not even that complex anymore, just download brave and “open private window with tor”. Then go to the website and download the data.
Downloading a “tor browser” always sound more “hacker” than it is these days.
Does that work with mobile app?
I think it’s desktop only, but I rarely use the mobile brave app.
This is what you get for doing good. Next time, don’t try to help them. Just let them get fucked.
The problem is, they aren’t the ones that’d get fucked. It’s the people they’re responsible for that’d end up getting screwed over.
If nothing else they should have tried to report it anonymously
From what little we know, the guy had every right to do things the way he did, and posting an immediate reply to the Mayors lie was my re than valid
The ransomware group has a stupid business plan there. A city govt isn’t gonna pay for the data. There’s no guarantee all copies would be deleted if they pay, and the govt suffers no real consequences if they just do nothing. If they paid, it would just make them an attractive target for further attacks; you know they aren’t going to fix all their security vulnerabilities. And then they tried to auction the data… But they have to actually release it eventually otherwise the ransom is toothless, so potential buyers just have to wait for it to get released for free, which is what happened.
The Mayor should just go ahead and resign. Take the city attorney with him while he’s at it.
What a bunch of asshats.
On Thursday, the city of Columbus sued Ross for alleged damages for criminal acts, invasion of privacy, negligence, and civil conversion. The lawsuit claimed that downloading documents from a dark web site run by ransomware attackers amounted to him “interacting” with them and required special expertise and tools.
Maybe Ohio should find a better place to store their braindead citizens outside of a court bench rather than inside.
Missouri, maybe? The governor there did the same thing to a newspaper reporter in St. Louis a couple years back.
