Cyber Incident Victim: City of Mount Vernon
Date:
Dec 2022
Location:
United States of America
Summary
The City of Mount Vernon experienced a ransomware attack by the LockBit group, which infiltrated systems through a remote access tool used by its IT provider, also affecting other clients. The breach disrupted operations across municipal court, police, auditor’s office, and public works departments, forcing police to temporarily relocate services. City officials and their provider restored systems using backups and removed vulnerable software. While the city asserted no personal identifiable information was accessed or stolen, it engaged an independent evaluator to verify this claim. The incident reflects broader trends of ransomware groups targeting under-resourced local governments. LockBit, noted for its prolific global attacks, demanded a ransom but the city’s payment status remains unspecified.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On December 19, 2022, at approximately 3 a.m., the City of Mount Vernon, Ohio, experienced a ransomware attack that disrupted municipal operations. The breach originated through a remote access tool used by the city’s IT provider, Dynamic Networks, which also impacted other clients of the provider. Attackers deployed LockBit ransomware, encrypting files and demanding payment for access. Affected departments included the Mount Vernon Municipal Court, Police Department, Auditor’s office, and Public Works. City officials and Dynamic Networks immediately initiated recovery efforts, utilizing backup data to restore systems over the following week. Vulnerable software linked to the breach was removed from all city systems. While the city stated no documents containing personally identifiable information (PII) were "removed or accessed," they did not clarify how this determination was made given the ransomware’s access to sensitive court and police systems. The city engaged its insurance provider to commission an independent evaluation to verify whether PII was compromised. Municipal operations faced significant disruptions, with police personnel temporarily relocating to the Knox County Sheriff’s Office to maintain critical functions. Local news reported additional impacts on cemetery management and public works services. The city committed to public updates and regulatory notifications if evidence of PII exposure emerged.
The incident reflected broader trends in 2022, where ransomware groups increasingly targeted under-resourced local governments. LockBit, identified by the U.S. Justice Department as one of the world’s "most active and destructive" ransomware variants, accounted for 175 publicly reported government attacks in 2022 according to Recorded Future. The group’s operations accelerated after launching LockBit 3.0 in June 2022, which introduced technical upgrades and a bug bounty program. By August 2022, LockBit had been linked to 1,111 global attacks, including 82 that month alone. The group’s ransomware-as-a-service model and a leaked toolkit in September 2022 enabled wider distribution of its malware. Mount Vernon’s attack underscored LockBit’s focus on exploiting third-party vulnerabilities, as seen in the compromise of Dynamic Networks’ remote access tool. Federal authorities noted LockBit actors had extorted tens of millions in ransom payments from over 1,000 victims since 2020. Despite restoration efforts, Mount Vernon’s reliance on backups and lack of confirmed data exfiltration aligned with LockBit’s typical encryption-based tactics rather than pure data theft. The city’s 17,000 residents awaited final confirmation regarding PII safety through the ongoing independent assessment.