Dive Brief:

• Hackers behind the June ransomware attack on the City of Knoxville, TN have started publishing stolen data online in a bid to extract a ransom payment, a city spokesperson confirmed to Smart Cities Dive on Monday.
• A screenshot provided to Smart Cities Dive by Brett Callow, a threat analyst at internet security firm Emsisoft, indicates the data was hit by DoppelPaymer, which steals data under the threat of online publishing if no payments are made. Callow said Knoxville is at least the fourth U.S. city to have its data stolen by a ransomware group this year, following the cities of Torrance, CA; Pensacola, FL; and Florence, AL, which paid almost $300,000 to prevent its data from being published.
• "The City of Knoxville is aware that the threat actor recently began publishing certain data acquired from the City’s computer systems as a result of the recent malware attack," city spokeswoman Kristin Farley told Smart Cities Dive in an email. "The data is being published on a site created by the threat actor to shame victims who choose not to pay the ransom and as additional leverage to seek payment of the ransom. We are working diligently, with the assistance of our third-party computer forensic specialists, to review the data published by the threat actor and confirm the full extent of data that is impacted."

Dive Insight:

The City of Knoxville had been relatively tight-lipped on the extent of the damage caused by the June 11 ransomware attack, repeatedly declining to comment on how it would address the undisclosed ransom demand. In a June 26 statement, the city said it "does not anticipate it will pay the ransom, requested in Bitcoin, to the threat actor," due to a number of factors "including the team-focused technical approach, redundant and diversified IT systems, and quality data backups."

The city said it sought the help of cybersecurity law firm Mullen Coughlin, cybersecurity mitigation company CrowdStrike and others to help investigate.

In the screenshot provided to Smart Cities Dive, the hackers said to "Watch for updates," and challenged public assertions from city officials that "no financial or personal information had been accessed or compromised" by publishing files and a list of compromised city computers.

While city officials emphasized in their June 26 statement that the city continued to be "open for business," it took time for some operations to resume. The ransomware attack led to "technical issues" among the Knoxville Police Department that prevented officers from responding to most traffic crashes, which were not resolved until June 30.

The data dump shows the importance of cities protecting their cyber assets, something that has become increasingly difficult amid distributed, remote workforces — and often inconsistent security protocols for devices — during the coronavirus pandemic. The economic consequences can also be enormous: a report from Emsisoft found ransomware attacks impacted at least 966 government agencies, educational establishments and healthcare providers in 2019, costing them more than $7.5 billion in recovery and mitigation.

"Studies and audits have repeatedly shown that US local governments practice security poorly," Callow told Smart Cities Dive in an email. "That needs to change. If it does not, municipalities will continue to have their data — and their residents’ data — stolen and published by ransomware groups."