Skip to main content
You are the owner of this article.
You have permission to edit this article.
Ransomware group Conti likely responsible for city's cyber attack, experts say

Ransomware group Conti likely responsible for city's cyber attack, experts say

  • Updated
  • 0

The hackers behind the ransomware attack on the city of Tulsa in late April likely are associated with a group known as Conti, according to cybersecurity experts.

The Tulsa World asked multiple cybersecurity firms to review information it has gathered regarding the source of the attack to verify its authenticity.

The records include data from the “dark web” site on which hackers made public in June more than 18,000 city files. City officials have said previously that the attack occurred April 21 and was detected May 6.

The cybersecurity experts said that although online information can always be manipulated, the records provided by the Tulsa World strongly suggest that Conti was behind the attack.

“This is Conti’s,” Brett Callow, a threat analyst with Emsisoft, said of the data provided by the Tulsa World.

Chester Wisniewski, principal research scientist for Sophos, a cybersecurity firm based in Great Britain, also said the evidence he reviewed  indicates that Tulsa was victimized by Conti.

“It sounds like it was incredibly likely that it was Conti, and the fact that some of the files are posted on the site means that the city did not make a payment,” Wisniewski said.

“It’s unknown how many different groups are out there doing this, but Conti is sort of one of the more famous ones for doing high-profile hacks like this.”

Mayor G.T. Bynum has said previously that the city did not pay a ransom to the attackers and that law enforcement officials have identified them.

City spokeswoman Michelle Brooks said this week that she could neither deny nor confirm Conti’s involvement in the attack because it is still under investigation.

Wisniewski described Conti as part of a sort of pyramid sales scheme in which less sophisticated hackers send out mass malware attacks hoping to find weak links in computer systems and then sell the weak links to more sophisticated operations such as Conti.

“Conti is sort of a brand name for the people who wrote the computer malware that locks up the computers and collects the ransom,” Wisniewski said. “And then they have affiliates that actually break into the victims and then they split the proceeds if they pay the ransom.”

Most of Conti’s operations appear to originate in Eastern Europe and Russia, Wisniewski said, but by no means is its network of hackers limited to that part of the world.

“We know that groups like Conti look to be Russian or certainly Russian speaking, but their affiliates could be anywhere in the world, and we have seen people arrested in Czechoslovakia, in Canada, in the United States, in Australia, in other places that have been part of that criminal network, even if they weren’t the masterminds,” Wisniewski said. “So clearly these are global criminal organizations.”

City officials recently said it would be another two months before all of the city’s core computer systems are up and running, with complete restoration of the systems expected in October.

Michael Dellinger, the city’s chief information officer, said approximately 40% of the city’s 471 servers were damaged — or encrypted — in the attack and that about 20% of the city’s more than 5,000 desktop and laptop computers were damaged.

The FBI’s Cyber Division issued an advisory in May warning of Conti’s reach in the United States.

The FBI has identified at least 16 Conti ransomware attacks targeting health care and first-responder networks within the last year, including law enforcement and municipalities, according to the advisory.

Conti’s playbook, as described by the FBI, is in keeping with what city officials have described Tulsa as having experienced.

“Like most ransomware variants, Conti typically steals victims' files and encrypts the servers and workstations in an effort to force a ransom payment from the victims,” the FBI advisory states. “The ransom letter instructs victims to contact the actors through an online portal to complete the transaction. If the ransom is not paid, the stolen data is sold or published to a public site controlled by the Conti actors."

Callow said there are upward of 30 groups that routinely steal data and use the threat of making it public to extort payment from their victims.

In the United States this year, at least 38 local governments have been affected by ransomware so far, Callow said, and data have been stolen and released online in 22 of those cases.

In 2020, 113 local governments were hit with ransomware attacks, and data from those attacks were released online 24 times, Callow said.

Tulsa officials announced June 22 that more than 18,000 files had been made public by the hackers. Nearly all of those files were online police reports that are already public record and do not contain residents’ Social Security numbers or financial information.

Callow said there is no way to know whether more stolen files would be made public.

“They have released 18,000 files. Whether that is 1% or 100% of what they stole, I have no idea,” Callow said.

Related video: The city's chief information officer gives a recent update on the ransomware attack

The attack is still affecting city operations, said Michael Dellinger, the city’s chief information officer, in a Wednesday news conference. But core systems should be up and running within two months.


Get local news delivered to your inbox!

* I understand and agree that registration on or use of this site constitutes agreement to its user agreement and privacy policy.

Related to this story

Most Popular

Get up-to-the-minute news sent straight to your device.


Breaking News

News Alert