Update 6.04.2023: BlackByte attacks City of Augusta, GA and demands a ransom of $2 million
Update 6.04.2023: BlackByte attacks City of Augusta, GA and demands a ransom of $2 million
Marco A. De Felice aka amvinfe 06/01/2023 BlackByteCity of AugustaGarnett L. JohnsonGeorgiaMayorRansomware
Share via:
Twitter
Facebook
More
Update 6.04.2023
On June 2, a new declaration was released by the Mayor of the City which lists a series of services for the city that are once again available to the citizens of Augusta
Public Safety – all essential functions are operational (911, fire, Animal Services)
Augusta 3 1 1 – is a non-emergency service that the City Council makes available to residents, businesses and visitors with complaints and problems for any department in Augusta-Richmond County
Augusta Transit – offers transportation access to all regions of Augusta-Richmond County
Augusta Utilities – provides water and wastewater service for the citizens of Augusta
Environmental Services
Finance Department – provides information to the Board of Commissioners and the Administrator improving decision-making, promoting the long-term financial well-being of the County
Planning & Development
Tax Commissioner’s Office “[…] For now, the office only handles motor vehicle transactions, such as time card renewal payments […]”
Mayor Garnett L. Johnson’s statement goes on to confirm that Augusta is not in talks with the BlackByte ransomware group, reiterating that the city is committed to taking all appropriate steps to notify any identified individuals involved.
SuspectFile.com has already had the opportunity to establish, as we report in the article, that in the 10 GB of data put online by BlackByte there are dozens and dozens of people where their identity has been disclosed. In some cases documents have been published on the conditions of discomfort or danger of some citizens of Augusta, in other documents the health conditions are visible.
So it’s a good thing that the Augusta Institutions are identifying and notifying the people concerned, but we repeat once again that part of these documents are already visible in the more than 10 GB of data still online (10,797 files and 3,093 folders).
Finally we wonder what the Mayor means when he declares
[…] Our Information Technology Department has executed a path forward to restoration, which has allowed Augusta to continue to serve our residents and visitors, despite our technology challenges.
Precisely what “restoration” is Mayor Garnett L. Johnson referring to?
We will continue to follow the story, informing you in case of news
In this article we will not only address the part relating to the attack carried out by BlackByte on the IT systems of the City of Augusta, the theft of tens of GB of data or the real amount of the ransom requested by the ransomware group. Above all, we will tell about the negligence and errors committed by a high-level employee of the IT department and his poor management and security of the data of the employees and citizens of the American city, but above all of his lack of supervision
What happened regarding the bad and disturbing management of the IT department, a strategic department of fundamental importance for any Public Institution, is something shocking especially if the person in charge of managing and monitoring the security of the computer systems has disregarded all the most simple, important guidelines that a Network Administrator could have, indeed should have (he was the first) to respect.
The BlackByte ransomware group had been inside the computer systems of the City of Augusta since at least May 21, the confirmation comes from the modification date reported in the exfiltrated documents, although we believe that access to the servers may have occurred several days earlier.
File modified date
File modified date
Mayor Garnett L. Johnson said in a May 24 statement posted on Augusta’s corporate website that the city’s computer systems were experiencing technical difficulties and that an internal investigation revealed unauthorized access to network servers.
In the May 24 statement, the Mayor also said that the IT department was investigating the incident and had no confirmation at the time that sensitive data had been compromised by the ransomware group.
The City of Augusta, GA began experiencing technical difficulties this past Sunday, May 21, 2023, unrelated to last week’s outage, resulting in a disruption to certain computer systems. We began an investigation and determined that we were the victim of unauthorized access to our system […]
[…] We are also actively investigating to determine whether any sensitive data may have been impacted. At this time, we have not confirmed that any sensitive data was compromised […]
In a new statement on May 25, the Mayor of Augusta wanted to let his citizens know that the $50 million ransom was not the real amount requested by the BlackByte group, the news had appeared in some media in the days following the cyber attack.
Recent media reports regarding Augusta, Georgia being held hostage for $50 million in a ransomware attack are incorrect.
Augusta’s Information Technology Department continues to work diligently to investigate the incident, to confirm its impact on our systems, and to restore full functionality to our systems as soon as possible. We continue to investigate what, if any, sensitive data may have been impacted or accessed […]
On May 26, in a new statement, the Mayor confirms that a cybercriminal group is claiming responsibility for this event and they are in possession of Augusta’s data. The statement on the institutional website continues and it is specified that Augusta is not in contact with the ransomware group. As we continue reading the statement we come to a point where the Mayor claims he has no knowledge of the ransom amount, but this is not what SuspectFile.com knows
Mayor Garnett L. Johnson declares that at the moment he does not know the real impact on the possible loss of sensitive data. Also in this case we do not agree with the Mayor’s statement because in the 10 GB proof data published by BlackByte we were able to inspect hundreds of files with sensitive data.
Regarding the ransom amount, we wanted to ask BlackByte directly to verify if what the Mayor declared was true, here’s what the ransomware group replied
Hello Marco.
We would not ask that amount 50M from Augusta, the reason is, they don’t really have that kind of numbers. And even if they have those numbers, I don’t believe they’re going to pay.
In other words, we are not asking for an amount that we know a Company could not pay.
Well, I don’t know who brings that numbers to the media. no one from Augusta connects us so they can figure out our terms.
The price we set up in our chat platform was $2,000,000.
So the initial buyout amount was $2 million and not $50 million as has been erroneously reported by some media.
We also tried to ask BlackByte if Augusta’s IT systems had been accessed through social engineering, for example an email with an infected file attached, here’s what they replied
We use our own technice and we do now share that.
The ransomware group also let us know that there were no negotiations, in the chat opened by BlackByte to negotiate the ransom price there are no messages from the victim.
This sarcastic message addressed to the administrators and the Mayor of the city has been visible for two days on the BlackByte blog
BlackByte_Message
BlackByte_Message
It is from this point that we want to continue this article, we will try to better understand what the real problem that the City of Augusta has at the moment, in addition to that relating to the 10 GB of proof data put online by BlackByte. Indeed, the ransomware group declares that the published ones are not the only data in their hands.
We could see the huge amount of data published by the ransomware group, almost all the data is related to IT department documents, such as server recovery procedures or server list on Windows, Linux, VMware, Cisco platforms Switch Management Addresses with their location, IP Addresses and Device Names and many other information of the network infrastructure of the City of Augusta with system access credentials not protected by password, therefore potentially exploitable by anyone outside the IT systems.
In the following images, by deleting sensitive data, we wanted to report only a few examples of the poor protection of data relating to IT infrastructures, but perhaps the worst situation we will tell later
Vmware ESX Hosts
VMware ESX Hosts
Wireless-Access
Wireless Access
Augusta Regional Airport
Augusta Regional Airport
Voice Install
Voice Install
Comcast Account No.
Comcast Account No.
Comcast Account No.
Comcast Account No.
Comcast Account No.
Comcast Account No.
But there is a document that we consider even more worrying that BlackByte has stolen and published on its blog, this file is also unprotected so the data are visible and are the URLs, user and password of the Network Administrator’s accounts.
Many of these credentials do not even meet the basic standards having simple and repeated passwords on different accounts, probably some of these credentials refer to private accounts so they shouldn’t even be listed in this file.
Password-and-User-Account
Password and User Account
During the searches carried out among the files published in the proof data we found an unprotected document with 2502 data relating to the employees of Augusta
Full names
Windows Login Account
Department
Email Address
Users Email Address
Users Email Address
Another file present in the data proof published by the ransomware group is that relating to 132 homeless people from the City of Augusta, a document with personal data such as photo, full name, date of birth and many other sensitive data
Update 6.04.2023: BlackByte attacks City of Augusta, GA and demands a ransom of $2 million 2
HOMELESS CONTACTS
We had introduced the article by pointing out the lack of professionalism in the management of sensitive data of employees and citizens of the city of Georgia by the Network Administrator, the one who should have supervised.
We found dozens of his personal files residing on the city’s IT infrastructure servers
Medical reports
Health Coverage
Form W-2
Retiree Account Statement (RAS)
several folders with documents which, in our opinion, should not have resided on the servers of the Administration of the City of Augusta precisely because they are strictly private files, we list some of them
My Toyota
Military Info
tax2020
tax2021
tax2022
Personal folders
Personal folders
Within some of these documents, not only the personal data of the Network Administrator are visible, but also those of his family members with name, surname, date of birth, SSN and in a document relating to a purchase made on an E platform South Carolina-based online commerce has his credit card number and security code (credit card expired in August 2019), his wife’s phone number and email.
order-form
order-form
We have written that among the 10 GB of data there are many files attributable to medical services, such as visits and diagnostic tests by the Network Administrator. We have decided to publish only a few examples of file names, without publishing the documents
Medical documentation
Medical documentation
However, there is a medical document that we could not figure out because it was within the proof data of the City of Augusta put online by BlackByte. The health document would appear to belong to a citizen residing in the state of Ghana or in any case born in Ghana and who would hold the important position of MD/CEO of one of the most accredited Ghanaian banks, in the past he held important managerial positions in other banks with additional responsibilities over other West African countries.
Health document
Health document
Perhaps there is one last consideration to make on this case. Was the Network Administrator, the one who had to ensure the protection of the data and IT infrastructures of the City of Augusta, satisfied with his job? Probably from what we have discovered by reading some documents he was not, but ours is only a guess.
In September 2018, the Network Administrator sent his application to fill the role of Information Technology Specialist (Infosec/Network Services) at the U.S. Army Cyber Command. Another interest of his for a new job is to cover, in March 2022, the role of Senior Systems Administrator at Medac Inc. (now a partner of Coronis Health) in North Augusta, South Carolina. In April of the same year he would seem interested in a new job to hold the position of Systems Engineer (Network Operations Center) at Savannah River Nuclear Solutions, LLC in the city of Aiken, South Carolina.
On September 7th he wrote an e-mail addressed to the Information Technology Department manager with the date of his resignation set for the 23rd of the same month.
We want to report some passages of the e-mail that we believe are important precisely for what happened to the City of Augusta
[…] Thank you very much for the opportunity you’ve given me to learn all about network infrastructure and proper customer service […] I believe the experience has taught me much about network and system administration and how to effectively provide excellent customer service to the employees […]
On 13 September, the Information Technology Department sent an e-mail to the Human Resources Department asking them to consider the employee’s letter of resignation
Per our discussion, Mr. [redacted] (Employee #0[redacted]), [redacted], has
tendered his resignation effective September 23rd
Unfortunately this will be a major loss to the
City of Augusta because Mr. [redacted] has been with our department for over [redacted] years and has been an asset. He is leaving for a significant increase in pay.
Mr. [redacted], Deputy [redacted], has spoken with Mr. [redacted] to see if there is anything we can do to
counter offer to get him to stay. He is willing to stay for $[redacted]. Therefore, I am asking for
your assistance in seeking approvai for Mr. [redacted]’s salary to be adjusted from $[redacted] to
$[redacted]. I understand he will be ineligible for any of the respective 3% increases scheduled for
October and January.
Thank you for your assistance.
[redacted]
This is the answer given by the HR office
Please send me an RPA with his resignation letter, email it so that I can share it with Administration.
I can get you to $[redacted] wìthout going to Commission.
Let me know if that works for you?
[redacted]
We wonder if the Mayor and the citizens are aware of all these facts, we wonder at this point if the Mayor of Augusta will issue a statement on the case, and if he intends to take corrective measures given the mismanagement of such a strategic department for each community.
Even if Augusta hasn’t made direct contact with the ransomware group, they should have already downloaded the 10 GB of data released by BlackByte and checked for the presence or absence of sensitive data and figured out who they should, if any, notify.
Cyberattacks are not something born a few years or months ago and ransomware-type cyberattacks are the ones that most of all can bring a public or private entity to its knees.
Since the beginning of 2023 alone, therefore we are talking about just 5 months, there have been at least 1700 attacks carried out by ransomware groups such as the one that hit the city of Augusta, in the month of May alone there were over 430 and we are talking about attacks that we know, therefore to these figures we must add all those where the victims have decided to pay the ransom and which therefore have never been leaked by the ransomware groups.
Marco A. De Felice aka amvinfe 06/01/2023 BlackByteCity of AugustaGarnett L. JohnsonGeorgiaMayorRansomware
Share via:
More
Update 6.04.2023
On June 2, a new declaration was released by the Mayor of the City which lists a series of services for the city that are once again available to the citizens of Augusta
Public Safety – all essential functions are operational (911, fire, Animal Services)
Augusta 3 1 1 – is a non-emergency service that the City Council makes available to residents, businesses and visitors with complaints and problems for any department in Augusta-Richmond County
Augusta Transit – offers transportation access to all regions of Augusta-Richmond County
Augusta Utilities – provides water and wastewater service for the citizens of Augusta
Environmental Services
Finance Department – provides information to the Board of Commissioners and the Administrator improving decision-making, promoting the long-term financial well-being of the County
Planning & Development
Tax Commissioner’s Office “[…] For now, the office only handles motor vehicle transactions, such as time card renewal payments […]”
Mayor Garnett L. Johnson’s statement goes on to confirm that Augusta is not in talks with the BlackByte ransomware group, reiterating that the city is committed to taking all appropriate steps to notify any identified individuals involved.
SuspectFile.com has already had the opportunity to establish, as we report in the article, that in the 10 GB of data put online by BlackByte there are dozens and dozens of people where their identity has been disclosed. In some cases documents have been published on the conditions of discomfort or danger of some citizens of Augusta, in other documents the health conditions are visible.
So it’s a good thing that the Augusta Institutions are identifying and notifying the people concerned, but we repeat once again that part of these documents are already visible in the more than 10 GB of data still online (10,797 files and 3,093 folders).
Finally we wonder what the Mayor means when he declares
[…] Our Information Technology Department has executed a path forward to restoration, which has allowed Augusta to continue to serve our residents and visitors, despite our technology challenges.
Precisely what “restoration” is Mayor Garnett L. Johnson referring to?
We will continue to follow the story, informing you in case of news
In this article we will not only address the part relating to the attack carried out by BlackByte on the IT systems of the City of Augusta, the theft of tens of GB of data or the real amount of the ransom requested by the ransomware group. Above all, we will tell about the negligence and errors committed by a high-level employee of the IT department and his poor management and security of the data of the employees and citizens of the American city, but above all of his lack of supervision
What happened regarding the bad and disturbing management of the IT department, a strategic department of fundamental importance for any Public Institution, is something shocking especially if the person in charge of managing and monitoring the security of the computer systems has disregarded all the most simple, important guidelines that a Network Administrator could have, indeed should have (he was the first) to respect.
The BlackByte ransomware group had been inside the computer systems of the City of Augusta since at least May 21, the confirmation comes from the modification date reported in the exfiltrated documents, although we believe that access to the servers may have occurred several days earlier.
File modified date
File modified date
Mayor Garnett L. Johnson said in a May 24 statement posted on Augusta’s corporate website that the city’s computer systems were experiencing technical difficulties and that an internal investigation revealed unauthorized access to network servers.
In the May 24 statement, the Mayor also said that the IT department was investigating the incident and had no confirmation at the time that sensitive data had been compromised by the ransomware group.
The City of Augusta, GA began experiencing technical difficulties this past Sunday, May 21, 2023, unrelated to last week’s outage, resulting in a disruption to certain computer systems. We began an investigation and determined that we were the victim of unauthorized access to our system […]
[…] We are also actively investigating to determine whether any sensitive data may have been impacted. At this time, we have not confirmed that any sensitive data was compromised […]
In a new statement on May 25, the Mayor of Augusta wanted to let his citizens know that the $50 million ransom was not the real amount requested by the BlackByte group, the news had appeared in some media in the days following the cyber attack.
Recent media reports regarding Augusta, Georgia being held hostage for $50 million in a ransomware attack are incorrect.
Augusta’s Information Technology Department continues to work diligently to investigate the incident, to confirm its impact on our systems, and to restore full functionality to our systems as soon as possible. We continue to investigate what, if any, sensitive data may have been impacted or accessed […]
On May 26, in a new statement, the Mayor confirms that a cybercriminal group is claiming responsibility for this event and they are in possession of Augusta’s data. The statement on the institutional website continues and it is specified that Augusta is not in contact with the ransomware group. As we continue reading the statement we come to a point where the Mayor claims he has no knowledge of the ransom amount, but this is not what SuspectFile.com knows
Mayor Garnett L. Johnson declares that at the moment he does not know the real impact on the possible loss of sensitive data. Also in this case we do not agree with the Mayor’s statement because in the 10 GB proof data published by BlackByte we were able to inspect hundreds of files with sensitive data.
Regarding the ransom amount, we wanted to ask BlackByte directly to verify if what the Mayor declared was true, here’s what the ransomware group replied
Hello Marco.
We would not ask that amount 50M from Augusta, the reason is, they don’t really have that kind of numbers. And even if they have those numbers, I don’t believe they’re going to pay.
In other words, we are not asking for an amount that we know a Company could not pay.
Well, I don’t know who brings that numbers to the media. no one from Augusta connects us so they can figure out our terms.
The price we set up in our chat platform was $2,000,000.
So the initial buyout amount was $2 million and not $50 million as has been erroneously reported by some media.
We also tried to ask BlackByte if Augusta’s IT systems had been accessed through social engineering, for example an email with an infected file attached, here’s what they replied
We use our own technice and we do now share that.
The ransomware group also let us know that there were no negotiations, in the chat opened by BlackByte to negotiate the ransom price there are no messages from the victim.
This sarcastic message addressed to the administrators and the Mayor of the city has been visible for two days on the BlackByte blog
BlackByte_Message
BlackByte_Message
It is from this point that we want to continue this article, we will try to better understand what the real problem that the City of Augusta has at the moment, in addition to that relating to the 10 GB of proof data put online by BlackByte. Indeed, the ransomware group declares that the published ones are not the only data in their hands.
We could see the huge amount of data published by the ransomware group, almost all the data is related to IT department documents, such as server recovery procedures or server list on Windows, Linux, VMware, Cisco platforms Switch Management Addresses with their location, IP Addresses and Device Names and many other information of the network infrastructure of the City of Augusta with system access credentials not protected by password, therefore potentially exploitable by anyone outside the IT systems.
In the following images, by deleting sensitive data, we wanted to report only a few examples of the poor protection of data relating to IT infrastructures, but perhaps the worst situation we will tell later
Vmware ESX Hosts
VMware ESX Hosts
Wireless-Access
Wireless Access
Augusta Regional Airport
Augusta Regional Airport
Voice Install
Voice Install
Comcast Account No.
Comcast Account No.
Comcast Account No.
Comcast Account No.
Comcast Account No.
Comcast Account No.
But there is a document that we consider even more worrying that BlackByte has stolen and published on its blog, this file is also unprotected so the data are visible and are the URLs, user and password of the Network Administrator’s accounts.
Many of these credentials do not even meet the basic standards having simple and repeated passwords on different accounts, probably some of these credentials refer to private accounts so they shouldn’t even be listed in this file.
Password-and-User-Account
Password and User Account
During the searches carried out among the files published in the proof data we found an unprotected document with 2502 data relating to the employees of Augusta
Full names
Windows Login Account
Department
Email Address
Users Email Address
Users Email Address
Another file present in the data proof published by the ransomware group is that relating to 132 homeless people from the City of Augusta, a document with personal data such as photo, full name, date of birth and many other sensitive data
Update 6.04.2023: BlackByte attacks City of Augusta, GA and demands a ransom of $2 million 2
HOMELESS CONTACTS
We had introduced the article by pointing out the lack of professionalism in the management of sensitive data of employees and citizens of the city of Georgia by the Network Administrator, the one who should have supervised.
We found dozens of his personal files residing on the city’s IT infrastructure servers
Medical reports
Health Coverage
Form W-2
Retiree Account Statement (RAS)
several folders with documents which, in our opinion, should not have resided on the servers of the Administration of the City of Augusta precisely because they are strictly private files, we list some of them
My Toyota
Military Info
tax2020
tax2021
tax2022
Personal folders
Personal folders
Within some of these documents, not only the personal data of the Network Administrator are visible, but also those of his family members with name, surname, date of birth, SSN and in a document relating to a purchase made on an E platform South Carolina-based online commerce has his credit card number and security code (credit card expired in August 2019), his wife’s phone number and email.
order-form
order-form
We have written that among the 10 GB of data there are many files attributable to medical services, such as visits and diagnostic tests by the Network Administrator. We have decided to publish only a few examples of file names, without publishing the documents
Medical documentation
Medical documentation
However, there is a medical document that we could not figure out because it was within the proof data of the City of Augusta put online by BlackByte. The health document would appear to belong to a citizen residing in the state of Ghana or in any case born in Ghana and who would hold the important position of MD/CEO of one of the most accredited Ghanaian banks, in the past he held important managerial positions in other banks with additional responsibilities over other West African countries.
Health document
Health document
Perhaps there is one last consideration to make on this case. Was the Network Administrator, the one who had to ensure the protection of the data and IT infrastructures of the City of Augusta, satisfied with his job? Probably from what we have discovered by reading some documents he was not, but ours is only a guess.
In September 2018, the Network Administrator sent his application to fill the role of Information Technology Specialist (Infosec/Network Services) at the U.S. Army Cyber Command. Another interest of his for a new job is to cover, in March 2022, the role of Senior Systems Administrator at Medac Inc. (now a partner of Coronis Health) in North Augusta, South Carolina. In April of the same year he would seem interested in a new job to hold the position of Systems Engineer (Network Operations Center) at Savannah River Nuclear Solutions, LLC in the city of Aiken, South Carolina.
On September 7th he wrote an e-mail addressed to the Information Technology Department manager with the date of his resignation set for the 23rd of the same month.
We want to report some passages of the e-mail that we believe are important precisely for what happened to the City of Augusta
[…] Thank you very much for the opportunity you’ve given me to learn all about network infrastructure and proper customer service […] I believe the experience has taught me much about network and system administration and how to effectively provide excellent customer service to the employees […]
On 13 September, the Information Technology Department sent an e-mail to the Human Resources Department asking them to consider the employee’s letter of resignation
Per our discussion, Mr. [redacted] (Employee #0[redacted]), [redacted], has
tendered his resignation effective September 23rd
Unfortunately this will be a major loss to the
City of Augusta because Mr. [redacted] has been with our department for over [redacted] years and has been an asset. He is leaving for a significant increase in pay.
Mr. [redacted], Deputy [redacted], has spoken with Mr. [redacted] to see if there is anything we can do to
counter offer to get him to stay. He is willing to stay for $[redacted]. Therefore, I am asking for
your assistance in seeking approvai for Mr. [redacted]’s salary to be adjusted from $[redacted] to
$[redacted]. I understand he will be ineligible for any of the respective 3% increases scheduled for
October and January.
Thank you for your assistance.
[redacted]
This is the answer given by the HR office
Please send me an RPA with his resignation letter, email it so that I can share it with Administration.
I can get you to $[redacted] wìthout going to Commission.
Let me know if that works for you?
[redacted]
We wonder if the Mayor and the citizens are aware of all these facts, we wonder at this point if the Mayor of Augusta will issue a statement on the case, and if he intends to take corrective measures given the mismanagement of such a strategic department for each community.
Even if Augusta hasn’t made direct contact with the ransomware group, they should have already downloaded the 10 GB of data released by BlackByte and checked for the presence or absence of sensitive data and figured out who they should, if any, notify.
Cyberattacks are not something born a few years or months ago and ransomware-type cyberattacks are the ones that most of all can bring a public or private entity to its knees.
Since the beginning of 2023 alone, therefore we are talking about just 5 months, there have been at least 1700 attacks carried out by ransomware groups such as the one that hit the city of Augusta, in the month of May alone there were over 430 and we are talking about attacks that we know, therefore to these figures we must add all those where the victims have decided to pay the ransom and which therefore have never been leaked by the ransomware groups.