The City of Tulsa has notified residents that some of their personal information may be on the dark web thanks to a ransomware attack last month by prolific cybercriminal group Conti.
In a statement posted to the city’s website this week, the city said more than 18,000 city files — mostly police citations and internal department files — were shared on the dark web. Names, dates of birth, addresses and license numbers are on all police citations.
“No other files are known to have been shared as of today, but out of an abundance of caution, anyone who has filed a police report, received a police citation, made a payment with the City, or interacted with the City in any way where PII was shared, whether online, in-person or on paper, prior to May 2021, is being asked to take monitoring precautions,” the city said in a statement to its 500,000 residents.
Tulsa’s Incident Response Team is working with federal law enforcement on the breach but is still struggling to restore services and resources that were heavily damaged by the attack. The ransomware attack brought down the city’s public-facing systems, internal communications and network access functions. The city admitted that it prioritized restoring systems over everything else.
The city notified residents that on May 6, multiple servers “were actively communicating with a known threat site and a ransomware attack was initiated on several City systems.” Tulsa Mayor G.T Bynum said the city would refuse to pay a ransom and instead shut down all of the city’s systems.
The city’s online bill payment systems were shut down along with utility billing and any services through email. All of the websites for the Tulsa City Council, Tulsa Police, the Tulsa 311 and the City of Tulsa were shut down as part of the effort to contain the attack.
Tulsa was forced to resort to phone services as a way to make up for the lack of online services. Residents were told to prepare for weeks, if not months, of city websites being down.
Tulsa suggested concerned residents visit the Oklahoma Department of Consumer Credit website. They also said residents need to monitor all financial accounts and credit reports, change passwords to personal accounts and contact credit or debit card companies about fraudulent charges.
Cybersecurity experts said the leakage of police citations and reports could provide any malicious actor with enough information to do serious damage.
Chris Clements, vice president of solutions architecture at Cerberus Sentinel, said that while the reports did not contain social security numbers, there was still enough information that could be leveraged to create incredibly powerful social engineering lures to fool victims into sending money.
“The disclosure of police records can be used to construct convincing stories to trick unsuspecting victims or their families into paying fake fees or fines by claiming to be lawyers or court representatives,” Clements said. “Even normally scam savvy people may be fooled if a fraudster has enough detailed information.”
Conti has made a name for itself after attacking hundreds of healthcare institutions, most notably bringing down significant parts of Ireland’s healthcare system earlier this year.
The FBI said last month that Conti has also gone after first responder networks, law enforcement agencies, emergency medical services, 911 dispatch centers, and multiple municipalities within the last year.
“These healthcare and first responder networks are among the more than 400 organizations worldwide victimized by Conti, over 290 of which are located in the US,” the FBI said.
Erich Kron, security awareness advocate at KnowBe4, said Conti has repeatedly shown “a blatant disregard for the authority of law enforcement as they continue their attacks on these vital services.”
“Even after the shutdown of the Darkside gang, the arrests in the takedown of the Clop group, and even in light of the Ziggy ransomware gang providing all of their encryption keys for victims due to the fear of law enforcement actions, Conti continues their attacks without skipping a beat,” Kron said.
“Because Conti’s typical attacks begin with email phishing or stolen Remote Desktop Protocol credentials, organizations looking to defend themselves against the threat should concentrate on these attack vectors.”
He added that organizations need to review the security related to any RDP instances they have deployed, paying special attention to securing against brute force attacks, spotting unusual login times or attempts from unusual locations and ensuring that unusual behavior through these portals is quickly reported to security.