The director of a Russian ransomware group named in a federal indictment this week is likely responsible for a cybersecurity attack on the city of Wichita.
The U.S Department of Justice charged Dimitry Khoroshev and his company, LockBit, in a 26-count indictment on Tuesday. The counts include numerous charges of extortion and fraud.
The U.S. Department of the Treasury, along with officials in Australia and the United Kingdom, also announced financial sanctions against Khoroshev, 31.
And the State Department is offering up to $10 million for information that leads to his arrest.
Justice officials say LockBit has targeted more than 2,000 victims globally and stolen more than $100 million in ransomware payments.
Kaustubh Medhe is the vice president for Research & Threat Intelligence with Cyble, a cyber threat intelligence company based in Atlanta. He said Lockbit took credit on its website for hacking Wichita.
Medhe said LockBit likely has targeted more than 100 government and public agencies in the U.S. He said city and county governments often don’t have sophisticated security systems, which makes them targets for groups like Lockbit.
“Most of these threat actors are actually looking for low-hanging fruit,” Medhe said. “Because obviously, at the end of the day, they run as a business. They don't want to spend too much time ... identifying the victim and stuff like that.
“They look for quick and easy things that they can break into, and then quickly deploy the ransomware and get out as soon as the entity is willing to pay.”
Wichita announced the cyberattack over the weekend. Many city services and operations remain hampered by the incident.
Online bill payments are suspended. And all payment for city services, ranging from the bus to museums to golf courses, must be by cash or check.
The city says it’s unknown when its computer systems will be fully restored.
Postings by Lockbit on social media show the city has until May 15 to pay a ransom or personal information will be leaked to the web.
Medhe said it’s possible the information already is out there. He said people should be aware of any suspicious activity on their credit or debit card, and be alert to phony emails from government agencies.
“Even if they (the city) recover from the attack, there is a high chance or probability that the data is already out there,” he said. “And the threat actors may start monetizing the data in terms of going on the dark web, trying to put it up for sale.”
As the city deals with its attack, clinical operations at Ascension Via Christi hospitals and clinics in Wichita are being disrupted by a multi-state cyberattack on the health nonprofit Ascension.
A spokesperson says the organization detected unusual activity on its network Wednesday and is investigating.
Ascension operates hospitals, clinics and nursing homes in 19 states.
