Cyber Incident Victim: City of Waynesboro
Date:
Jan 2023
Location:
United States of America
Summary
The City of Waynesboro experienced a ransomware attack by the BianLian group, resulting in the theft and online publication of approximately 350 GB of sensitive data, including internal police files containing criminal investigations, staff personal information, and operational manuals, alongside government documents and public relations materials. Attackers infiltrated the municipal IT infrastructure, prompting immediate containment measures and forensic investigations involving law enforcement. While the ransomware operators claimed to have encrypted systems and threatened data leaks, the city confirmed unauthorized data exfiltration but did not disclose whether a ransom was demanded or paid. Officials emphasized ongoing efforts to assess the breach's scope and provide support to affected individuals.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In January 2023, the City of Waynesboro, Virginia, was notified of a potential cyberattack on its information technology infrastructure by external actors. The incident involved the BianLian ransomware group, which claimed responsibility for infiltrating the city’s digital systems and stealing approximately 350 gigabytes of data. According to social media posts and threat analyst reports from late February to early March 2023, the stolen data included fileserver contents from the city government and internal police department systems. Specific compromised police records encompassed criminal investigations, staff personal data, internal reports, operational manuals, and public relations materials. The attackers explicitly named Mayor Lana Williams, Vice Mayor Jim Wood, and Council member Kenny Lee in their disclosures. BianLian’s operational method involved exfiltrating data prior to encrypting victim systems, threatening to publish stolen information on dark web platforms unless a ransom was paid within 10 days. While the city confirmed data theft and online posting by late February, no explicit ransom demand or encryption impact on city operations was disclosed in available reports. Security firm Emsisoft noted BianLian’s emergence as a ransomware operation targeting both public and private sector entities, with 2023 seeing at least 15 U.S. local governments affected by ransomware, 11 of which experienced data theft.
The City of Waynesboro initiated immediate containment measures upon discovering the breach, including removing the malicious activity from its infrastructure and implementing enhanced security protocols to reduce vulnerability. City Manager Mike Hamp publicly confirmed the data theft on March 1, 2023, and stated the city was collaborating with law enforcement and cybersecurity experts to investigate the attack’s scope and mitigate its effects. The police department joined these efforts to assess potential compromises to criminal investigations and personnel records. Concerns arose regarding the exposure of sensitive law enforcement data, with Emsisoft highlighting historical cases where ransomware attacks led to dropped prosecutions due to evidence loss or threats to expose informants. The city committed to notifying affected individuals and providing resources to address risks of identity theft or scams stemming from the breach. Concurrently, cybersecurity researchers observed BianLian’s increased activity since mid-2022, though the group’s origins and base of operations remained unidentified. The incident reflected broader trends of ransomware disproportionately impacting smaller municipalities, as noted in Emsisoft’s analysis of 106 attacks on U.S. state or local governments in 2022, with data stolen in 27 cases. Waynesboro’s response remained ongoing as of early March 2023, with no further public updates on data recovery or operational disruptions.