The dark web is a part of the Internet that isn't indexed by mainstream search engines and requires special browsers like Tor, permissions, software and system configurations to access. It is used to keep Internet activity anonymous and is fertile ground for illegal or criminal enterprises like Play.
The cyber criminal group, which has been active since last year, posted a link to the data, which Brett Callow, a threat analyst with cybersecurity provider Emsisoft, said is available for viewing and download by any user on that system.
"The info is out there, and while at the moment it's on the dark web, there is no way of knowing where else it may appear, or when it may appear," Callow said. "There's no way of knowing how many people have now accessed that data or where and when it may subsequently be reshared."
Play's news feed, which lists six pages of cyber attacks including Lowell, says the data is "Private and personal confidential data, finance, taxes, clients and employee information. For now partially published compressed 5gb. If there is no reaction full dump will be uploaded."
The "reaction" is presumed to be payment of Play's ransomware demand. Callow said demands can range from tens of thousands of dollars to multimillion-dollar payments.
"Ransomware attacks have two parts to them," Callow said. "The first part is that the hackers steal a copy of the data. Then they encrypt and lock the system from those that they've stolen. Then they ask for a ransom that covers two things: Firstly, unlocking the locked systems, and secondly, destroying that stolen data. Or supposedly destroying it."
The city of Lowell, which has not updated its website with the status of the hack since May 5, has also not disclosed the ransomware amount that Play has allegedly demanded.
City Manager Tom Golden said by text Thursday that, "At this time, Lowell continues to work with our partners in the Federal and State law enforcement."
Paying the ransomware demand is no guarantee of a successful outcome, said Callow, but the longer the city holds out, potentially more data could be released.
"The city will be deciding whether it needs to pay," he said. "And then, it's really quite simple. If it does decide that it needs to pay, it will get a decryption key and recover [the data] that way. If they refuse to pay, then Play will probably release the remaining data."
Some hacking cases have resulted in taxpayer or employee financial information ending up online. But the release of sensitive personnel information is more problematic and harder to manage, according to Callow.
"If things like disciplinary records end up online or allegations of sexual assault, for example, that's not fixable," he said. "Once that stuff is out there, it's out there forever."
An internal document sent to city employees by Chief Information Officer Mirán Fernandez, whose Management Information Systems falls under the Finance Department led by Chief Financial Officer Conor Baldwin, said that going forward the rebuilt network will only be accessed via multifactor authentication, a verification system in which users receive a code sent to an external device to gain access to the system.
"The use of [multifactor authentication] on your accounts makes you 99% less likely to be hacked," noted Callow. "It is the single biggest thing that any organization can do to reduce its risk profile. Every organization should be doing it."
As the city works with its cybersecurity partners to address the crisis, Callow said residents can take steps now to protect their data.
"If I was a taxpayer in Lowell, I would be working on the assumption that whatever information the city held about me was now in the hands of cyber criminals," he said. "It is better to be safe than sorry," and he recommended monitoring financial accounts for irregular or suspicious transactions.
Paying to stop the release of more data does not ensure that the data that has been stolen will be destroyed.
"These people are criminals and there's absolutely no reason to believe that they will do what they say they will do," Callow cautioned. "This is an attack that they want to be able to monetize. It's as simple as that."
©2023 The Sun, Distributed by Tribune Content Agency, LLC.