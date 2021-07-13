Twenty-seven Social Security numbers were released onto the dark web by the hackers behind the ransomware attack on the city of Tulsa, officials announced Tuesday.
The Social Security numbers were included in the nearly 19,000 files — most of them online police reports completed by residents — that hackers made public in June, nearly two months after the April 21 attack on the city’s computer systems.
Michael Dellinger, the city’s chief information officer, said the city is sending letters to each person whose Social Security number was released. The city has also established an online search tool residents can use to determine whether their personal information has been made public.
The lookup tool is available at cityoftulsa.org/cyber.
“Basically, citizens can go online, and they can enter two identifying pieces of information, like their name, their date of birth, into a search, and it will tell them what was released, like their name, their address, their ZIP code, things like that,” Dellinger said.
The online police reports that were made public date from Jan. 1, 2015, through May 6, 2021 — the day the city became aware of the attack and shut down its systems.
Dellinger encouraged those using the lookup tool to do multiple searches using different personal identifiers to ensure that the search is as thorough as possible.
Other personal information from the online police reports made public by the hackers includes names, addresses, dates of birth and driver’s license numbers.
“I would like to stress that if your information was released on the dark web, you should take precautions,” Dellinger said. “You should contact all three credit bureaus and issue a credit freeze or a fraud alert. You should monitor your financial accounts and credit reports.
“And you should get with your credit and debit card companies and consider issuing fraud alerts.”
Dellinger said the city should have its computer systems fully restored by Sept. 15, about six weeks earlier than expected. Nearly all of the city’s out-facing services are back online, as are all public safety systems.
The hackers breached the city’s computer system through what appeared to be an innocuous email with a PDF attached, Dellinger said.
“Then they actually have codes behind that document that in essence embeds itself into your organization and beacons,” he said. “Basically, it will beacon out for somebody to connect, and that is actually how they gained entry.”
City officials declined to name the hackers Tuesday, saying they did not want to give the organization any publicity or help to perpetuate its work.
Cybersecurity experts who reviewed data provided by the Tulsa World earlier this month said it is likely the attack was executed by Conti, a network of hackers with roots in Eastern Europe and Russia.
Approximately 40% of the city’s 471 servers were damaged — or encrypted — in the attack and, as of early July, the city had spent $315,000 restoring the system and installing additional security.
“This was a well-crafted attack. Organizations like this tend to customize the attack to your defenses, and that is what happened in this particular case,” Dellinger said. “So what we have done is we have added additional layers onto our actual security protocols as well as added additional monitoring to hopefully catch someone doing this in the future.”
Featured video: Biden tells Putin 'to act' against ransomware groups
Q&A: How ransomware works
What is ransomware and how does it work?
Ransomware scrambles the target organization's data with encryption. The criminals leave instructions on infected computers for negotiating ransom payments. Once paid, they provide decryption keys for unlocking those files.
Ransomware crooks have also expanded into data-theft blackmail. Before triggering encryption, they sometimes quietly copy sensitive files and threaten to post them publicly unless they get their ransom payments.
What's a supply-chain attack and how does it affect so many of us?
FILE -Energy Secretary Jennifer Granholm speaks during a press briefing as ransomware payments leave U.S. officials fumbling about how to resp…
The latest attacks combine a ransomware operation with what's known as a supply-chain attack, which typically involves sneaking malicious code into a software update automatically pushed out to thousands of organizations.
Kaseya says the ransomware affected its product for remotely monitoring networks; but because many of its clients are providers of broader IT management services, a large number of organizations is likely to be affected.
"What makes this attack stand out is the trickle-down effect, from the managed service provider to the small business," said John Hammond of the security firm Huntress Labs. "Kaseya handles large enterprise all the way to small businesses globally, so ultimately, it has the potential to spread to any size or scale business."
Until now, the best-known recent supply-chain attack was attributed to elite Russian hackers and targeted software provider SolarWinds. But the motive was different; it was a massive intelligence operation targeting government agencies and others, not an attempt to extort money.
How do ransomware gangs operate?
FILE - In this Oct. 12, 2020 file photo, a worker heads into the JBS meatpacking plant in Greeley, Colo. The world’s largest meat processing c…
The criminal syndicates that dominate the ransomware business are mostly Russian-speaking and operate with near impunity out of Russia and allied countries. Though barely a blip three years ago, the syndicates have grown in sophistication and skill. They leverage dark web forums to organize and recruit while hiding their identities and movements with sophisticated tools and cryptocurrencies like Bitcoin that make payments — and their laundering — harder to track.
Most experts have tied the Kaseya attack to a group known as REvil, the same ransomware provider that the FBI linked to an attack on JBS SA, a major global meat processor, amid the Memorial Day holiday weekend.
Active since April 2019, the group provides ransomware-as-a-service, meaning it develops the network-paralyzing software and leases it to so-called affiliates who infect targets and earn the lion's share of ransoms.
Who is most often targeted?
The scale of the attack affecting Kaseya is not yet clear, but it's already been blamed for closing stores across a grocery chain in Sweden because their cash registers weren't working.
Last year alone in the U.S., ransomware gangs hit more than 100 federal, state and municipal agencies, upwards of 500 health care centers, 1,680 educational institutions and untold thousands of businesses, according to the cybersecurity firm Emsisoft. Dollar losses are in the tens of billions.
Accurate numbers are elusive. Many victims shun reporting, fearing the reputational blight.