Attackers Post Knoxville City Employee Files On Dark Web, City Reviewing Extent Of Release

“The City of Knoxville is aware that the threat actor  is publishing city data acquired in the attack,” the city says. The group that hijacked the city of Knoxville’s computer network system last month has begun posting personal data files of employees on the dark web.

According to a city statement Friday, “The City of Knoxville is aware that the threat actor recently began publishing certain data acquired from the City’s computer systems as a result of the recent malware attack. “The data is being published on a site created by the threat actor to shame victims who choose not to pay the ransom and as additional leverage to seek payment of the ransom.”

City officials soon after the June 11 attack said it appeared no city employee data had been compromised. The dark web is a part of the internet invisible to search engines that requires a particular browser to access.

City officials have confirmed the attackers are asking for an undisclosed ransom in exchange for releasing the city’s system. The city, however, said it doesn’t think it will pay the ransom. It reverted to backup files and shut down the network, forcing employees off their work computers.

Knoxville Police Department officers stopped generating some reports including non-injury accident reports, but the police department said Tuesday it had gone back to “normal protocol” in responding to non-injury crashes. KPD spokesman Scott Erland on Thursday referred any questions about the issue to city communications director Kristin Farley.

Brett Callow, a threat analyst for the online security firm Emsisoft, told 10News the attacker appears to be from a group using what’s been dubbed DoppelPaymer. They’ve posted city employees’ files on the dark web. Callow forwarded one file as an example that shows information such as address, phone and pay for a man hired by the city in 2019. Some of that information already is public under Tennessee law.

According to Callow, Knoxville is at least the fourth U.S. city to have its data stolen via DoppelPaymer. Others are Pensacola, Fla., Torrance, Calif., and Florence, Ala. “There may be others that we do not know about,” Callow said in an email.

Florence, hit this summer, is electing to pay the ransom, according to press reports. Such an attack, by design, can cost victims thousands if not millions of dollars. The city of Knoxville has hired experts identified as CrowdStrike and Mullen Coughlin to help in the attack.

“We are working diligently, with the assistance of our third-party computer forensic specialists, to review the data published by the threat actor and confirm the full extent of data that is impacted. We appreciate your continued patience and understanding as we continue our investigation,” the city’s statement Thursday reads.

Callow said DoppelPaymer almost certainly has many files it’s holding back as it pressures Knoxville.

“The actor will only have published part of the data that was stolen. It’s the equivalent of a kidnapper sending a pinky finger. Should the city not pay, the remaining data will be published, probably in installments. In other words, the impact could be more significant than the initial data dump indicates. Whether the city’s forensic investigation has established what data was taken, I obviously can’t say. They may or may not know.”