A social media post on X, formerly known as Twitter, shows that ransomware hacker organization BlackSuit claims to have released a 129-GB file of the city's data. City officials said last week they are aware of this alleged release but declined to verify the accuracy of the claim.
"It took a long time to download information from the dark web to determine what personal information, if any, was obtained by the threat actors," City Manager Rick Dzik said Thursday. "That file is currently being reviewed by our forensic investigator."
Dzik said last week that any residents whose personal information is found to have been compromised will be provided credit monitoring services by the city.
General credit monitoring services are available through numerous public vendors. These services keep an eye on your credit report for potentially fraudulent activity, alerting you of any suspicious changes. Some monitoring, like that provided through Experian, can be accessed for free.
Dzik said it is unknown the specific type of data that could have been stolen during the ransomware attack, which was discovered on the morning of Nov. 12, but that it could vary from low- to high-risk material.
"I don't want to speculate on what may have been released before we know for sure," he said. "Generally, any data on city servers/computers is at risk, from innocuous letters, memos, and day-to-day work product, to personal information."
Days after the attack was discovered, Dzik had said the investigation into the incident could take multiple weeks to complete.
Dzik said as of this week, the city is fully operational, though mainly on temporary devices.
"We are working this week to restore all city computers and servers and expect to be back to normal with all city devices operational early next week," he said Thursday.
Reports have shown over 70% of all ransomware attacks are targeted toward cities and local governments, according to Matthew Torres, a senior account executive for Acrisure Cyber Services, a managed security service provider that specializes in cybersecurity.
In the Dayton area, the most significant ransomware incidents involving a local government took place in 2018 when cyber attacks on the city of Riverside's fire and police department servers shut down the police department's records management system used to create and store investigative reports.
Ransomware is a type of malware that encrypts, or locks, digital files and demands a ransom payment — usually by cryptocurrency — to release them, according to the FBI. Ransomware hackers claim they will give you the "key" to recover your data if you pay, but there are no guarantees.
As a result of the two attacks, which took place in April and May 2018, the Ohio Attorney General's Office revoked the city's access to a backup system on the Ohio Law Enforcement Gateway, a statewide computer database operated by the AG's Bureau of Criminal Investigation. This further hindered the department, preventing officers from creating digital reports altogether.
CYBERSECURITY A GROWING RISK
There has been a continuing upward trend in the number of cyber attacks, with some industry experts reporting an estimated 37% spike in ransomware attacks in 2023, as reported by Massachusetts-based cybersecurity company Recorded Future.
As the volume of attacks increase, so too does the amount of money being demanded by hackers from victims, Torres said.
Local governments are in possession of residents' private information and are often not equipped, whether financially or technologically, to adequately protect against these risks, he said.
"In our digital world, this data is gold and can be sold easily on the dark web," Torres said. "Oftentimes, these governments are underfunded and do not have appropriate IT resources to protect themselves from an evolving threat landscape, which makes them the perfect target for hackers."
According to Torres, step one in combatting cybersecurity issues is to educate and train staff members.
"The human element will always be the weakest link in the security chain," he said.
Torres noted other best practices include implementing multi-factor authentication, adhering to strong password requirements, and ensuring all systems, assets and applications are being updated frequently with the newest security patches.
If possible, organizations should implement a "Zero-Trust" security strategy. This model assumes all individuals, devices, and services that are attempting to access company resources, even those inside the network, cannot automatically be trusted, requiring users to be verified each time they request access.
"Cities and organizations also need to approach security from a layered perspective," he said. "Having a variety of tools that are designed to protect specific portions of the network and infrastructure will be crucial."
In the years since the attacks on its systems, Riverside officials say the city has made regular updates and improvements to its cybersecurity in an effort to keep up with the latest hacking strategies.
"We have made investments in trying to modernize our network, utilize cloud-based services, regularly train employees about spam/phishing attempts, and enforce stricter password requirements and access privileges across our IT infrastructure," said current City Manager Joshua Rauch. "This is an ongoing and continual process, and we continue to work with our security specialists to help prevent a future attack and mitigate one should it occur."
VULNERABILITY OF SCHOOL DISTRICTS
Along with cities and local governments, school districts are also growing targets for ransomware attacks.
According to Ohio law firm Bricker and Graydon, this rise may be due in part to things like sparsely available cyber-related resources, shifts to virtual learning as a result of Covid-19, underdeveloped incident response plans, and the accessibility of school calendars that can create a predictable set of pressure points allowing for leverage in a ransomware attack.
According to the White House, in the 2022-2023 academic school year, at least eight K-12 districts throughout the U.S. were impacted by significant cyberattacks, four of which forced schools to cancel classes or close completely.
In these situations, student learning loss can add up.
A 2022 U.S. Government Accountability Office report shows the loss of learning following a cyberattack ranged from three days to three weeks, and recovery time can take anywhere from two to nine months.
Responses to these incidents can also be time-consuming and costly, a further detriment to districts that may be underfunded or under-resourced.
This accountability report also shows recovery time can take anywhere from two to nine months, and cost anywhere from $50,000 to $1 million.
A federal initiative launched by the Biden-Harris administration this year aims to strengthen K-12 schools' cybersecurity by facilitating access to funding, resources, guidance, and training for school districts across the country.
Along with increased federal assistance, several technology providers are offering free and low-cost resources to school districts.
One such provider is Cloudflare. Through its new program called Project Cybersafe Schools, more than 9,000 small public school districts across the United States with up to 2,500 students — that's roughly 70 percent of public districts in the country — are now eligible for free cybersecurity services.
PCS aims to help support small K-12 public school districts by providing cloud email security to protect against threats including malware-less business email compromise, multichannel phishing, credential harvesting, and other targeted attacks, according to Cloudflare.
©2023 the Dayton Daily News, Distributed by Tribune Content Agency, LLC.