KNOXVILLE, Tenn. — Cyber-attackers posted some city of Knoxville data to the dark web--possibly exposing personal information--after a June ransomware attack that still impacts city computers, a spokesperson said.
Attackers shut down the city's computer system in the early hours of June 11 and demanded approximately $393,137 in the cyber-currency bitcoin, city director of communications Kristin Farley said in an email to 10News Tuesday.
Initially, the city's chief operating officer said it appeared no financial or personal information had been compromised. In July the city said the attackers had begun posting personal files to the dark web.
"The threat actor did post some data taken from our file servers to the dark web," Farley wrote Tuesday. "We are working at this time with a technical contractor to determine what personally identifiable information may have been posted."
Farley said the city would send a notification letter to people impacted within a few weeks.
Ransomware allows hackers to use software to take control of a computer system. It's often done by outside operators trying to extort money from the system operator. Data is held in "ransom" until money is paid.
The city did not pay the ransom, but instead hired two cyber-security firms to help trace the attack and re-gain control of the computer system. As of early August, the firms had billed the city $105,479.01.
Farley said 95% of the city's 1,500 computers, laptops and tablets impacted were back online Tuesday.
Brett Callow, a threat analyst for the online security firm Emsisoft, told 10News the attacker appears to be from a group using what's been dubbed DoppelPaymer.
Callow forwarded one file as an example that shows information such as address, phone and pay for a man hired by the city in 2019. Some of that information already is public under Tennessee law.
According to Callow, Knoxville is at least the fourth U.S. city to have its data stolen via DoppelPaymer. Others are Pensacola, Fla., Torrance, Calif., and Florence, Ala.
"There may be others that we do not know about," Callow said in an email.
Florence, hit this summer, is electing to pay the ransom, according to press reports.
The dark web, where some city information may be posted, is a shadowy section of the internet not accessible by traditional search engines. Frequently the site of illegal activity, it allows users to remain anonymous or untraceable.