This article will serve to retrace, documenting them, the various steps that led us to have an exchange of numerous emails with the BlackByte ransomware group. We will tell, through a series of data, what damage the computer attack and the consequent theft of documents caused to the City of Augusta last May 21st. But above all we will list which type of documents, among these many PHI and PII of citizens and employees of the city, are still available on BlackByte.
We recall that a total of 34,004 documents stolen from the city’s servers, in addition to several hundreds of e-mails present in the e-mail accounts of 12 employees of the Municipality and those present in the 6 Outlook backups.
On the evening of May 29 we write the first email to BlackByte asking for information on its recent cyber attack against the city’s IT systems, in the email we highlight the fact of the presence of sensitive PII data and ask if there is also PHI data. We also ask about the May 25 statement in which the Mayor of Augusta says that the $50M ransom reported by some media is not true.
Here’s what they told us a few hours later
So the news that appeared on a website of a local TV station in Augusta, which spoke of a $50M ransom, was denied not only by the Mayor, but also by the author of the cyber attack.
We also tried to ask BlackByte if the attack had been carried out thanks to social engineering techniques, but they replied that they used their own techniques and would not share them with us
In the following days we came into possession of the documents exfiltrated to the City of Augusta, the amount of data, once extracted from the zipped archives, is 83GB between files in .pdf, Excel, Word, text files and .pst files. A total of 34004 files and 7420 folders.
A part of these documents, 3093 folders and 10796 files were already contained in the 10GB of compressed data that BlackByte had published on its blog in the days following the cyber attack.
In the 10GB we had found several sensitive documents such as PHI and PII as we had already had the opportunity to document in our first article, as well as several Excel files that contained Password and User Accounts (some, we think, of private accounts) of an employee of the Municipality and a another Excel file with city employee data
- Full names
- Windows Login Accounts
- Department
- Email Address
The list of 132 homeless people in Augusta with photo, full name and surname, date of birth. Also sensitive data, as well as a variety of PHI and PII documents, of an employee
- Medical reports
- Health Coverage
- Form W-2
- Retiree Account Statement (RAS)
- military info
- tax2020
- tax2021
- tax2022
We had also found a medical record of a citizen born in Ghana.
The health document appears to belong to a citizen residing in the state of Ghana or in any case born in Ghana and who currently appears to hold the position of CEO of one of the most accredited Ghanaian banks. We could not understand why this document was in the memory of one of the servers of the City of Augusta
We found additional sensitive PHI and PII documents, our searches led us to speculate they may belong to a possibly now retired City employee and his wife
We found dozens of employee payslips from 2011 – 2020
Regarding the emails in the 83GB of data, we found a total of 10.6GB of emails in 21 .pst archives, 5 of them are backup files. These are emails dated from 2004 to 2023, mainly emails where work information is exchanged between the various employees of the City of Augusta, even if the content of some of these emails shouldn’t have been on a server of a public institution because, in our opinion deal with private matters.
In the “Exchange.pst” folder we found emails dated May 2023, some of these contain Word or Excel files of work reports from the “Fire Department/Emergency Management Agency” of the City of Augusta.
In other emails we found health documents attached to emails, two of these emails had two PHI documents attached belonging to the same person, a minor at the time.
Mayor Garnett L. Johnson released a new statement where the situation on the functioning of the services that had been interrupted after the cyber attack is updated.
The Mayor declares that the Augusta IT department and external specialists are collaborating to restore the services interrupted due to the cyber attack of last May 21st. He reaffirms that Augusta or his associates have never been in contact with the criminal group that claimed responsibility for the attack on the IT systems.
The statement posted on the Institutional website goes on to report that many services have been restored except for three major systems being restored
- Geographic Information Systems (GIS)
- the enterprise asset management system that depends upon GIS
- the solid waste operations system
services which – continues the Mayor – should be restored within the next two weeks.
It is precisely the GIS that has been the most affected by the BlackByte ransomware group, a large part of the exfiltrated documents belong to this Department. A total of almost 30GB, almost half of the total exfiltrated data. Among these are land maps, building plans, building permits, analysis and conditions of the territorial waters of Richmond County, 2018 aerial maps of Augusta Regional Airport, a 2010 homicide map and much more, as we can see from the next screen shots that we publish
On Thursday 8 June we wrote an e-mail to BlackByte asking if during the cyber attack the backup files had been deleted and if they still had access to the city’s IT systems, this is their reply
On Thursday 8 and Friday 9 June we wrote to the Mayor of the city and asked for a statement on the case and on the exfiltrated data, published on information websites. We have not received any responses prior to the publication of this article.
The article will be updated in case of new details