A dark web researcher cautioned Columbus, Ohio, residents that the ransomware attack was more significant than the mayor had stated. As a result, the city is filing a lawsuit against him.

• Over the summer, Columbus, Ohio, was hit by a cyberattack that is part of a new wave of ransomware launched by the Rhysida group, which some security experts believe is linked to Russia or neighboring states.
• A city-based IT researcher who monitors the dark web and cybercrime obtained three terabytes of stolen data in 8 hours, which they warned the media was far more extensive than the city had previously disclosed to its residents.
• The city sued him, claiming it necessary to safeguard confidential data, which experts say could negatively impact hacking revelations and public transparency.

Ransomware has been a persistent problem for American municipalities. The recent attack on Columbus, Ohio, in July, was typical, but the city's response has raised questions among cybersecurity and legal experts about its motives.

David Leroy Ross, also known as Connor Goodwolf, is an IT consultant who specializes in exploring the dark web as part of his job. "My work involves tracking criminal activities, organizations, and cases like the one involving the Telegram CEO's arrest," Goodwolf stated.

Discovering what the hackers had in their possession didn't take Goodwolf long after he learned that his hometown, Columbus, had been breached.

Goodwolf stated that while it may not have been the largest breach, it was one of the most significant.

The hackers breached multiple databases from the city, police, and prosecutor's office, exposing personal identifiable information, protected health information, Social Security numbers, and driver's license photos. According to Goodwolf, the breach was more comprehensive than other attacks, as it included arrest records and sensitive information about minors and domestic violence victims. Some of the breached databases went back to 1999.

Over 8 hours, Goodwolf downloaded more than three terabytes of data.

"As soon as I look at the prosecutor's database, I'm stunned to see domestic violence victims. We must prioritize protecting these victims, who have already been harmed once, and now face further harm by having their information exposed," he stated.

Goodwolf's first action was to contact the city to inform them of the seriousness of the breach, as what he saw contradicted the official statements made by Columbus Mayor Andrew Ginther at a press conference on August 13, where he stated that the personal data published by the threat actor to the dark web was either encrypted or corrupted, making the majority of the data unusable.

Despite his efforts to contact the city through various departments, Goodwolf was unable to get a response.

The Columbus hack, orchestrated by the Rhysida Group, has been tracked by Google-owned Mandiant and other top cybersecurity firms, who have observed a rise in ransomware attacks in terms of both frequency and intensity.

The Rhysida Group admitted to being responsible for the hack. Although not much is known about the cyber gang, Goodwolf and other security experts believe they are state-sponsored and based in Eastern Europe, possibly linked to Russia. Goodwolf states that these ransomware gangs are "professional operations" with a staff, paid vacation, and PR people.

Since last autumn, the attacks and targets have been intensified, he stated.

In November, the Cybersecurity and Infrastructure Security Agency of the U.S. government released a bulletin regarding Rhysida.

Goodwolf, after not receiving a response from the city, went to the local media and shared data with journalists to raise awareness about the breach. However, he soon received a lawsuit and a temporary restraining order from the city of Columbus, preventing him from sharing any further information.

The city defended its response in a statement to CNBC:

"The City sought the order from the Court to prevent the release of sensitive information that could endanger public safety and criminal investigations."

Goodwolf is no longer under a temporary restraining order in the city, and has a preliminary injunction and an agreement not to release additional data.

"The city's statement clarified that the Court order does not prevent the defendant from discussing or describing the data breach. However, it prohibits the individual from sharing the stolen data posted on the dark web. The City is collaborating with federal authorities and cyber security experts to address the cyber intrusion."

At the time, we believed the information we had was accurate, but we later discovered it was incorrect. As a result, I must take responsibility for my initial statements.

The city of Columbus is offering two years of free credit monitoring from Experian to residents who have had contact with the city via an arrest or other business. Additionally, Columbus is collaborating with Legal Aid to determine what additional safeguards are necessary for domestic violence victims who may have been exposed or require assistance with civil protection orders.

The city has not yet paid the hackers, who were seeking $2 million in ransom.

'He's Not Edward Snowden'

The researcher was surprised when Columbus filed a civil lawsuit against those who study cybersecurity law.

Rare are lawsuits against data security researchers, according to Raymond Ku, professor of law at Case Western Reserve University. When such lawsuits do occur, it is typically due to allegations that the researcher has disclosed how a flaw can be exploited, allowing others to do the same.

Kyle Hanslovan, CEO of cybersecurity company Huntress, stated that he was troubled by the city of Columbus's response to the breached data and its potential implications for future breaches. Unlike Edward Snowden, who was a government contract employee who leaked classified information and faced criminal charges but considered himself a whistleblower, Goodwolf is a Good Samaritan who independently found the breached data.

It seems that we have silenced a security researcher who only did the minimum to confirm that the official statements were false. This cannot be an appropriate use of the courts, according to Hanslovan, who predicts that the case will be overturned quickly.

During a September press conference, Columbus City Attorney Zach Klein stated that the case was not related to freedom of speech or whistleblowing, but rather concerned the illegal downloading and disclosure of confidential criminal investigation records.

Hanslovan expressed concern about the ripple effect where cybersecurity consultants and researchers are hesitant to do their jobs due to the fear of being sued. He believes that this could be a new playbook for hacking response, where individuals are silenced, which should not be welcomed. Hanslovan stated that silencing any opinion, even for 14 days, could prevent something credible from coming to light, which terrifies him. He believes that the voice needs to be heard, and as bigger cybersecurity incidents arise, he is worried that people will be more focused on bringing them to light rather than addressing the root cause of the problem.

NexaTech Ventures founder Scott Dylan believes that the actions of the city of Columbus could have a chilling effect on the field of cybersecurity.

In the future, this case will likely be cited in discussions about the role of researchers following data breaches, according to Dylan.

He argues that legal frameworks need to adapt to the complexity of cyberattacks and the ethical quandaries they present, and Columbus's approach is incorrect.

Although Goodwolf and Columbus reached an agreement last week regarding the distribution of information, the city is still pursuing a civil lawsuit against him for damages, which could potentially result in a payout of $25,000 or more. Goodwolf is currently representing himself in negotiations with the city, but has a lawyer on standby if necessary.

A class-action lawsuit has been filed by some residents against the city. Goodwolf reports that 55% of the breached information has been sold on the dark web, while 45% is accessible to anyone with the necessary skills.

Dylan believes that the city's actions, while legally defensible, may harm public trust and increase the likelihood of future litigation by creating the perception of an attempt to stifle discourse rather than promote transparency.

Goodwolf stated that he hopes the city recognizes the error of filing a civil suit and the potential consequences on security. He pointed out that Intel is constructing a $1 billion facility in a Columbus suburb, and the city's recent actions of attacking white hats and cybersecurity researchers could harm its reputation as a tech hub in the Midwest.