An Ohio judge has issued a temporary restraining order against a security researcher who presented evidence that a recent ransomware attack on the city of Columbus resulted in vast amounts of sensitive personal data being stolen, contradicting claims made by city officials.
The order was issued by a judge in Franklin County, Ohio, after the city of Columbus fell victim to a ransomware attack on July 18 that siphoned 6.5 terabytes of the city's data. A ransomware group called Rhysida claimed responsibility for the attack and offered to auction the data with a starting bid of about $1.7 million in bitcoin. On August 8, after the auction failed to attract a bidder, Rhysida said it released about 45 percent of the stolen data on the group's dark web site, which is accessible to anyone with a TOR browser.
The dark web is not easily accessible to the public – really?
Columbus Mayor Andrew Ginther said on August 13 that a “breakthrough” in the city's forensic investigation into the data theft revealed that the sensitive files Rhysida obtained were either encrypted or corrupted, making them “unusable” to the thieves. Ginther further said that the lack of integrity of the data was likely the reason the ransomware group was unable to auction the data.
Shortly after Ginther made his remarks, security researcher David Leroy Ross contacted local news outlets and presented evidence showing that the data released by Rhysida was fully intact and contained highly sensitive information about city employees and residents. Ross, who uses the pseudonym Connor Goodwolf, presented screenshots and other data showing that the files released by Rhysida contained names from domestic violence cases as well as social security numbers of police officers and crime victims. Some of the data spanned several years.
On Thursday, the city of Columbus sued Ross for damages for criminal conduct, invasion of privacy, negligence and civil conversion. The suit claimed that downloading documents from a dark web site run by ransomware attackers was equivalent to “interacting” with them and required special expertise and tools. The suit also denounced Ross for alerting reporters to the information, which it said was not easily accessible to others.
“Only individuals who are willing to navigate the dark web and interact with the criminal elements, and who also have the computer skills and tools necessary to download data from the dark web, can do so,” prosecutors wrote. “The data posted on the dark web is not readily available to the public. The defendant ensures that this is so.”
That same day, a Franklin County judge granted the city's request for a temporary restraining order against Ross, prohibiting the researcher from “accessing, downloading, and/or distributing city files posted on the dark web.” The request was filed and granted “ex parte,” meaning in secret, before Ross learned of it or had a chance to present his case.
In a press conference on Thursday, Columbus City Attorney Zach Klein defended his decision to sue Ross and seek the injunction.
“This is not about freedom of speech or whistleblowing,” he said. “This is about downloading and disclosing stolen criminal investigation documents. This effect is intended [Ross] to stop the downloading and publication of stolen criminal records in order to protect public safety.”
The Columbus District Attorney's Office did not respond to emailed questions. However, it issued the following statement:
The lawsuit filed by the City of Columbus relates to stolen data that Mr. Ross downloaded from the dark web onto his own, local device and shared with the media. In fact, several media outlets used the stolen data provided by Ross to go door-to-door and contact people using the names and addresses contained in the stolen data. As has since been widely reported, Mr. Ross also showed several news outlets stolen, confidential city data that he says reveals the identities of undercover investigators and crime victims, as well as evidence from ongoing criminal investigations. Sharing this stolen data puts public safety and the integrity of the investigation at risk. The injunction issued by the court prohibits Mr. Ross from distributing the city's stolen data. Mr. Ross can still speak freely about the cyber incident and even describe what kind of data is on the dark web – he just cannot disseminate that data.
Attempts to reach Ross for comment were unsuccessful. Emails to the Columbus mayor's office went unanswered.
As seen above in the screenshot from the dark web site Rhysida from Friday morning, the sensitive data remains available to anyone who looks for it. While Friday's order may prohibit Ross from accessing the data or sharing it with reporters, it will have no impact on those who would want to use the data for malicious purposes.