The Rhysida ransomware group has posted an auction for Hernando County’s data on the dark web. The auction ends early Thursday, April 18, 2024. They are asking for 40 bitcoins, or $2.8 million and state that low offers will be ignored.
The site also claims that they will only sell the data once, so whoever buys it will have exclusivity. If they sold the data many times, their victims would be less likely to pay the ransom. The ransomware groups want to pressure their victims into paying and often release parts of the data to hurt the victim and serve as a warning to others.
Getting access to the dark web is similar to gaining access to a speakeasy. You go to a place that someone tells you and knock on the door and they let you in. You have to know the right places to go. The dark web is the same idea for the Internet.
Threat Analyst Brett Callow for Emsisoft saw the Hernando Sun’s reporting on Hernando County’s IT outage and that it was potentially a ransomware attack and provided evidence that it was, in fact, a ransomware attack. He tweeted a screenshot of the county’s data auction. He also provided us with a link to a location that had the TOR onion location of the auction, which allowed us to verify the information provided. TOR is a network that creates anonymity for its users.
The Rhysida ransomware group provides screenshots of some of the data they have taken. There were several screenshots of email inboxes (including emails, inmate listings, background checks, and accounting). In addition, there was an images of a tax bill, budgeting documents, resolutions, and W-9 forms. Some of the other screenshots were illegible.
It seems that the ransomware group had difficulty figuring out which documents were sensitive. They showed multiple financial records, but those are public records under the Sunshine Laws. This is also true for the budgeting documents and the resolutions, which, prior to the ransomware attack, were publicly available to download. They also had property appraiser and tax bill information, but much of that is public as well. For many private companies, financial information like this is a closely guarded secret, but because of the level of transparency required by Florida county governments, this information is already available to the public.
The W-9 forms are more problematic as they can contain social security information. Vendors for the county that used their social security number rather than an Employer Identification Number (EIN) probably should monitor their credit closely.
The emails could contain sensitive data, for example, emails regarding background checks. There was some banking information, including routing and account numbers for vendors.
The good news is that many of the screenshots that were shown were of financial information that is publicly available. They did not show screenshots of credit card information, although that does not mean that they do not have it.
The Hernando County Clerk’s Office has a program called Property Fraud Alert. According to the Clerk’s website “Property Fraud Alert is a free service that alerts subscribers when a mortgage, deed or other land document is recorded in their name in Hernando County’s official records. Notifications are emailed within 24 hours of the document being recorded.”. This is a good idea since it prevents someone from easily being able to fraudulently apply for a loan on your property or transfer the deed. To find out more visit https://hernandoclerk.com/additional-services/search-official-records/ to find out more.
Everyone in the county needs to monitor their credit and credit cards for fraudulent activity. We do not know how many individuals and organizations have had sensitive information compromised from this ransomware attack, but there could be attempts to steal money or identities with whatever information that has been taken.
It is important to note that getting ransomware is similar to a bank getting robbed. It can happen even though you are doing everything you can to prevent it. Your security is only as good as all your people on their worst day. Someone can click on the wrong email and download a dangerous file, because they were rushing and not paying attention. You cannot prevent every possible attack, but you can manage the risk and make attacks more difficult.
Correction: The name of the program that the Clerk provides was updated from Title Lock to Property Fraud Alert. The official name of the program was not available at the time of writing this article as the Clerk’s site was still down.