Tulsa’s Police-Citation Data Leaked by Conti Gang

A May 6 ransomware attack caused disruption across several of the municipality’s online services and websites.

The city of Tulsa, OK is asking some of its residents to keep a close eye on their personal and financial accounts after the Conti ransomware group leaked some 18,000 city files, mostly police citations, on the dark web.

The leak stemmed from a May 6 ransomware attack that caused the city to shut down its network, disrupting its online bill payment systems, utility billing and email. The websites for the city, the Tulsa City Council, the city’s police force and Tulsa 311 also were affected in the attack.

BleepingComputer published a report Wednesday that includes what is purported to be a screenshot of the list of 18,938 files from the city of Tulsa leaked by Conti, which, in addition to police citations, also include internal Word documents.

Police citations contain some personal identifiable information (PII) – such as name, date of birth, address and driver’s license number – but do not include Social Security numbers, according to a statement by the city advising people of the leak.

“Out of an abundance of caution, anyone who has filed a police report, received a police citation, made a payment with the City, or interacted with the City in any way where PII was shared, whether online, in-person or on paper, prior to May 2021, is being asked to take monitoring precautions,” according to the statement.

Some of the ways those potentially affected by the leak can mitigate any potential fallout include monitoring financial accounts and credit reports, asking credit/debit card companies to issue a fraud alert, changing passwords to personal accounts, and adding a second level of authentication to personal accounts and apps, the City advised.

Criminalizing the Data

Indeed, while the information leaked “may not seem immediately useful to cybercriminals,” it can be used to craft attacks that leverage social engineering to lure victims, such as phishing emails or other scams, said one security expert.

“In this instance, the disclosure of police records can be used to construct convincing stories to trick unsuspecting victims or their families into paying fake fees or fines by claiming to be lawyers or court representatives,” Chris Clements, vice president of solutions architecture for Cerberus Sentinel, said in an email to Threatpost. “Even normally scam-savvy people may be fooled if a fraudster has enough detailed information.”

The leak also shows the Conti Gang once again flexing its muscles. “One of the most prolific ransomware gangs in operation,” the group of late has been “ruthless in its attacks on the public sector and healthcare networks,” even as authorities are aggressively cracking down on and in some cases shutting down other ransomware perpetrators, another security expert observed.

“The Conti group is showing a blatant disregard for the authority of law enforcement as they continue their attacks on these vital services,” Erich Kron, security awareness advocate for KnowBe4, said in an email to Threatpost.Even after the shutdown of the DarkSide gang, the arrests in the takedown of the Clop group, and even in light of the Ziggy ransomware gang providing all of their encryption keys for victims due to the fear of law enforcement actions, Conti continues their attacks without skipping a beat.”

Indeed, the DarkSide gang, infamous for the massively disruptive attack on the Colonial Pipeline Co, in May suffered a loss in access to the public part of its infrastructure – including the servers for its blog, payment processing and denial-of-service (DoS) operations – due to its seizure by law enforcement.

On the heels of that cybercriminal setback, authorities in the Ukraine also took down the Clop ransomware gang in a raid in Kiev that included the arrests of six people, as well as the seizure of $185,000 in cash, a Tesla, a Mercedes and their computer equipment.

Meanwhile, the Conti Gang, which has been known to demand outrageous extortion fees from its victims for releasing files from encryption, remains unscathed and operational – for now.

Join Threatpost for “Tips and Tactics for Better Threat Hunting” — a LIVE event on Wed., June 30 at 2:00 PM ET in partnership with Palo Alto Networks. Learn from Palo Alto’s Unit 42 experts the best way to hunt down threats and how to use automation to help. Register HERE for free.

Suggested articles