The small suburb initially told residents that their personal information had not been compromised in the March incident, but hackers' decision to publish the city's data online shows otherwise.
The city of Torrance, Calif., which last month saw its website, email and financial system partially disabled by ransomware, has now had some of its data leaked online by the same hackers who conducted the attack, according to public officials and recent reports.
The suburb of Los Angeles County with around 145,000 residents had previously said that the March 1 attack hadn't compromised any public data, but the recent leak seems to indicate otherwise.
In the March incident, hackers hit the city with DoppelPaymer, a strain of ransomware that exfiltrates data rather than merely encrypting it, making off with some 200 GB of data.
After the initial attack, hackers subsequently dumped some of that data on a public website and dark web forums, including names, birthdays and social security numbers, as well as a large amount of information on the city's financial transactions, documents show.
Michael Smith, public information officer for Torrance, said that the city "was working with law enforcement" and had hired an outside digital forensics firm to assist with the investigation of the incident.
"On the 20th [of April], we learned of a data breach published on the Internet that may have come from our systems in the course of a ransomware attack we experienced on March 1st," Smith said by phone. "Some of the data may include personal information of employees and others ..."
The hackers are now asking Torrance officials for payment of 100 bitcoin — or roughly $680,000 — in exchange for not releasing any new information and for the decryptor key, according to Bleeping Computer.
Similar tactics have been previously used in cases like that of the city of Pensacola, Fla., where hackers stole data before dumping it online.
Brett Callow, a threat analyst with Emsisoft, said that the Torrance incident was a regrettable example of government not being straightforward and transparent after an attack.
"I don't know why governments make these hasty claims," said Callow. "Ransomware incidents should be treated as data breaches from the get-go."
COVID-19 has shifted the dynamics of these attacks somewhat, said Callow. While the barrage on private companies has held steady over the last few months, successful ransomware attacks on the public sector are down, said Callow, explaining that governments' response to the novel coronavirus may have actually decreased its attack surface.
"The number of incidents has reduced to a level that we have not seen for several years," said Callow, while cautioning that this respite was temporary, and that the U.S. would likely see an uptick in successful attacks after offices returned to standard practices.