Cyber Incident Victim: Dynamic Networks
Date:
Dec 2022
Location:
United States of America
Summary
The city of Mount Vernon experienced a ransomware attack via its IT provider's remote access tool, deploying LockBit ransomware which disrupted municipal court, police, auditor, and public works operations. The attackers demanded ransom, but the city restored systems using backups and removed vulnerable software, claiming no personal data was accessed despite the breach of sensitive departments. An insurance evaluation is assessing potential data theft. LockBit, a highly active group, has targeted numerous entities globally, with increased incidents linked to a leaked toolkit enabling DIY variants, exacerbating threats to under-resourced governments.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On December 19, 2022, at approximately 3 a.m., the city of Mount Vernon, Ohio, experienced a ransomware attack that disrupted municipal operations. The intrusion originated through a remote access tool used by the city’s IT provider, Dynamic Networks, and also impacted other clients of the provider. Attackers deployed LockBit ransomware, encrypting files and demanding payment for access. Affected departments included the Mount Vernon Municipal Court, Police Department, Auditor’s office, and Public Works. City officials and Dynamic Networks immediately initiated recovery efforts, leveraging backups to restore systems over the following week. Vulnerable software was removed from all systems as part of the remediation. While the city stated no personal identifiable information was "removed, or accessed" from its systems, it did not clarify how this conclusion was reached given the ransomware gang’s access to sensitive court and police networks. The city engaged its insurance provider to commission an independent evaluator to assess potential data theft. Due to system outages, police operations were temporarily relocated to the Knox County Sheriff’s Office to maintain continuity. Local news reported additional disruptions to cemetery management and public works services.
The incident reflected broader trends in ransomware targeting local governments. LockBit, identified as the ransomware variant used, had become the most prolific ransomware operation globally in 2022, with over 1,000 victims since its emergence in 2020. The U.S. Justice Department noted LockBit actors had extorted tens of millions in ransom payments. Mount Vernon’s attack occurred amid a surge in LockBit 3.0 activity following its June 2022 release, which introduced technical upgrades and a bug bounty program. Recorded Future documented 175 government-sector ransomware attacks in 2022, slightly below 2021’s total but still significant. The city, with approximately 17,000 residents, did not request state assistance from Ohio’s Department of Public Safety or the governor’s office. Recovery efforts focused on backup restoration and vulnerability removal, with no public disclosure of ransom payment or negotiation. The attack underscored the operational risks to municipalities with limited cybersecurity resources, mirroring incidents in New Jersey, Colorado, Oregon, and New York that year. LockBit’s prominence was further amplified by the September 2022 leak of its ransomware builder toolkit, enabling unauthorized actors to create customized variants.