An Ohio judge has issued a temporary restraining order against a security researcher who provided evidence that large amounts of sensitive personal information were stolen in a recent ransomware attack on the city of Columbus, contradicting claims made by city officials.
The order, issued by a judge in Franklin County, Ohio, came after the city of Columbus was hit by a ransomware attack on July 18 that siphoned off 6.5 terabytes of city data. A ransomware group known as Rhysida claimed responsibility for the attack and offered to auction off the data with a starting bid of about $1.7 million in bitcoin. On Aug. 8, after the auction failed to attract a bidder, Rhysida said it posted about 45 percent of the stolen data to the group’s dark web site, which is accessible to anyone with a TOR browser.
Isn't the dark web just open to the public?
Columbus Mayor Andrew Ginther said on August 13 that a “breakthrough” in the city's forensic investigation into the breach showed that the sensitive files Rhysida obtained were encrypted or corrupted, making them “unusable” to the thieves. Ginther went on to say that the lack of data integrity was likely the reason the ransomware group was unable to auction the data.
Shortly after Ginther made his comments, security researcher David Leroy Ross contacted local news organizations and presented evidence showing that the data Rhysida had posted was fully intact and contained highly sensitive information about city employees and residents. Ross, who goes by the alias Connor Goodwolf, presented screenshots and other data showing that the files Rhysida had posted contained names of domestic violence cases and Social Security numbers of police officers and crime victims. Some of the data spanned years.
On Thursday, the city of Columbus sued Ross, alleging damages for criminal misconduct, invasion of privacy, negligence and civil conversion. The lawsuit alleged that downloading documents from a dark web site run by ransomware attackers amounted to “interaction” with them and required special expertise and tools. The lawsuit went on to challenge Ross to alert reporters to the information, which ii claimed would not be easily obtainable by others.
“Only individuals willing to navigate and interact with the criminal elements on the dark web, and who also have the computer skills and tools necessary to download data from the dark web, would be able to do so,” city attorneys wrote. “Data placed on the dark web is not readily available for public use. Defendant makes it so.”
That same day, a Franklin County judge granted the city’s request for a temporary restraining order against Ross. It prohibits the researcher from “accessing, and/or downloading and/or distributing” city files posted on the dark web. The request was filed and granted “ex parte,” meaning in secret before Ross knew about it or had a chance to present his case.
During a press conference Thursday, Columbus District Attorney Zach Klein defended his decision to charge Ross and obtain a restraining order.
“This is not about freedom of speech or whistleblowing,” he said. “This is about downloading and disclosing stolen criminal investigation data. This effect is to [Ross] to stop the downloading and disclosure of stolen criminal record data to protect public safety.”
The Columbus city attorney's office did not respond to emailed questions. It did provide the following statement:
The lawsuit filed by the City of Columbus relates to stolen data that Mr. Ross downloaded from the dark web to his own local device and distributed to the media. In fact, multiple media outlets used the stolen data Ross provided to go door to door, contacting individuals using names and addresses contained in the stolen data. As has now been widely reported, Mr. Ross has also stolen confidential city data from multiple news outlets, showing them evidence of ongoing criminal investigations and revealing the identities of undercover officers and crime victims. Sharing this stolen data threatens public safety and the integrity of investigations. The temporary restraining order granted by the court prohibits Mr. Ross from distributing any of the city’s stolen data. Mr. Ross is still allowed to speak freely about the cyber incident and even describe what kind of data is on the dark web – he is just not allowed to distribute it.
Attempts to reach Ross for comment were unsuccessful. Emails sent to the Columbus mayor's office went unanswered.
As seen above in the screenshot of the Rhysida dark web site on Friday morning, the sensitive data remains available to anyone who searches for it. Friday’s order may prohibit Ross from accessing the data or distributing it to reporters, but it has no effect on those who intend to use the data for malicious purposes.
