As Easter weekend passed in April, Hernando County officials noticed an interruption in their network that caused websites to go down.
Early reports indicate that operations like the county’s property appraiser, the clerk of court’s office, and the zoning department were down.
As the days went on, Hernando County began to see services come back online, but it took weeks before everything was fully restored.
Because the outage lasted so long and little information was shared about what caused it, concerns mounted about whether it was more than just a network bug.
Cindy M. from Spring Hill contacted VERIFY about an article she saw online claiming that a “ransomware group [had] posted an auction for Hernando County’s data on the dark web,” and wanted to know if it was true.
“Everyone up here is going crazy, they don’t know what to believe,” she said.
THE QUESTION
Was Hernando County the victim of a ransomware attack, and did the cybercriminals put sensitive information up for auction?
OUR SOURCES
- Hernando County Government
- The Hernando Sun
- Erich Kron – Security Awareness Advocate, KnowBe4
- Brett Callow – Threat Analyst, Emsisoft Ltd.
- U.S. Cybersecurity & Infrastructure Security Agency (CISA)
- Florida Statute
THE ANSWER
Yes, Hernando County’s network was hacked by cybercriminals who stole data and later put it up for auction online.
WHAT WE FOUND
The claim that the county was the victim of a ransomware attack first appeared in the Hernando Sun weekly newspaper.
On April 12, the publication posted an online article titled “Threat Analyst Shows Evidence of Hernando County Ransomware Attack.”
The article cites a post on the social media platform X by a user named Brett Callow. Callow is a threat analyst at Emsisoft, a company based in New Zealand that produces anti-virus software. Emsisoft also fights ransomware attacks by removing encryptions and restoring the victim’s data.
Callow’s post includes a screenshot of what he claims to be an auction for Hernando County’s data posted by the Rhysida ransomware group. The auction's starting price is 40 Bitcoins, which is roughly $2,697,240.
Callow called the scheme “plain ol’ extortion” because “nobody other than the victim would pay anywhere near that amount.”
That’s the basis of how many ransomware attacks work, and it’s a specialty of the Rhysida group, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
What was the ransomware attack?
CISA calls Rhysida an “emerging ransomware variant” targeting education, healthcare, manufacturing, information technology and government sectors. Attacks from the group date back to May 2023, CISA said.
When VERIFY contacted Hernando County to confirm the information in the Hernando Sun article, officials acknowledged that hackers caused the outage.
“Hernando County became aware of public posts from cyber criminals claiming to have obtained data during the network interruption...recently experienced,” a statement read. “...which confirmed the County was a victim of a ransomware attack.”
Officials said they could not provide any more details on the incident due to the ongoing investigation.
A ransomware attack occurs when hackers encrypt a victim’s data to block access and demand a ransom for a decryption code.
“Then they pinky swear that they’re not going to put it out on the internet – that they’re going to delete it," said Erich Kron, a security awareness advocate with KnowBe4. "[But] let’s face it; these are the same criminals that just broke into your stuff and crushed it."
Brett Callow agreed, telling 10 Tampa Bay it'd be a mistake to believe cybercriminals delete the files.
"In fact, there is ample evidence that ransomware groups don't delete the files after they paid," he said. "Law enforcement recently hacked into the infrastructure of one of the most prolific gangs and found data going back quite some time from companies that had paid to have it supposedly deleted."
Victims sometimes pay the ransom and are never given the code to get their data back.
Florida law makes it illegal for a government entity to comply with or pay a ransom demand.
In May, the auction was taken down, and the county’s data was posted on the dark web, which is freely available for download, according to the Hernando Sun. As of May 21, the information was still up and available for download.
Another article from the Hernando Sun claimed to have verified the auction listing after Callow provided them with a link that allows safe access to the dark web while staying anonymous. The article named types of information in the auction, including “budgeting documents, resolutions, W-9 forms, screenshots of email inboxes, inmate lists” and more.
VERIFY has not independently viewed the auction listing on the dark web.
Do I need to be worried?
Cindy M. expressed concerns over the county's ability to accept secured payments from residents amid the ransomware attack.
"I have to be careful with my money," she said. "I paid my bill last month despite this problem, [and] I'm hoping my money went where it was supposed to, and hopefully my information wasn't stolen..."
Local governments hold a lot of data between all of their different agencies. Everything from voting records, social services data, financial information of contracted businesses and more are held on the government's network, according to GovPilot, a company offering data storage services to local governments.
The Hernando County Government data auction included screenshots of just some files taken from the county, including documents already publicly accessible through Florida’s Sunshine laws. Sunshine laws are meant to promote transparency within the state’s governmental agencies. They ensure open meetings and the right to request certain records, such as budgeting documents, resolutions, and property appraiser information.
Of the other information that was part of the auction, the W-9 forms could put businesses that do contract work for the county at risk, especially if the business owner submitted their social security number on the form instead of their Employer Identification Number.
In its totality, the data posted in screenshots by the hackers in the auction doesn't seem to include things like residents' personal information.
However, that doesn't mean that's all the hackers took during the network interruption. The Hernando Sun reported that when the auction ended and the information became available for anyone to download, the cybercriminals claimed 6,190,346 files totaled 3.2 terabytes.
"In past cases involving local governments, we have seen things like payroll records made public, disciplinary records of employees, and really, really sensitive things like the records from social service departments," Callow said.
Even if your information wasn't taken in the ransomware attack, Erich Kron said you're still not in the clear. Scammers could use the county's data to create a scheme that targets residents.
“By referencing information from the breach, such as past transactions with the county or tax records, they can make communications, including phone calls or text messages, sound legitimate and may try to convince victims that money or past due tax statements are due,” he said.
Whether using real county employees’ names or impersonating email signatures, that information can make a scam seem more real.
“If residents are contacted by someone claiming to be from the county and asking for money or additional information, they should end the call and contact the county directly through a published phone number or email address,” Kron said.
Brett Callow said he was on the advisory board for a project called "Ransomware Harms and the Victim Experience" at the Royal United Services Institute in the United Kingdom. As part of that project, he said researchers conducted a study on the implications of ransomware attacks for both individuals and organizations.
"The good news is that there is really very little evidence that ransomware operators or anybody else systemically misuses the data that's stolen in these attacks," he said. "So there's a good chance that absolutely nothing will happen to the individuals who are impacted. But it may be low risk, but it isn't no risk.”
He said a big reason for that is because cybercriminals who carry out ransomware attacks are motivated by getting a ransom paid.
“The ransomware gang wants to collect tens, hundreds of thousands, a million plus bucks from the organization. They're not interested in committing much smaller identity fraud,” Callow said.
Cybersecurity advocates like Emsisoft have called for a federal ban on ransom payments to eliminate cybercriminals' ability to profit from these attacks.
"If nobody paid ransom demands, there would be no more ransomware," he said.
The Office of the Attorney General of Florida confirmed an active investigation is looking into the incident.
As the county works with state and federal law enforcement agencies to investigate the ransomware attack and what information was stolen, there are steps you can take to protect yourself.
Hernando County has a property fraud alert service that notifies you if a deed or mortgage is granted in your name. You can sign up for that here.
For other tips on how to keep your identity protected, you can find VERIFY’s guide in an article linked here.
When you go to the Hernando County website, an orange banner at the top of the page directs visitors to a status update on county operations after "an interruption of the county-wide IT network," but doesn't mention a ransomware attack.
The page states that most services are fully operational. However, some services have been limited at the Property Appraiser's office and the Supervisor of Elections' main office. You can find a complete list of Hernando County agencies and their operations here.
Here is the full statement from Hernando County to 10 Tampa Bay on the incident:
“Hernando County became aware of public posts from cyber criminals claiming to have obtained data during the network interruption we recently experienced, which confirmed the County was a victim of a ransomware attack. The County is cooperating with state and federal law enforcement and a team of cybersecurity experts to investigate the claims and the full nature and scope of the incident. At this time, we are unable to provide further information regarding the actions of the cyber criminals but are working diligently to investigate their claims. Should we confirm that sensitive information was impacted due to this attack, we will be notifying those impacted, pursuant to state notification guidelines.
Thanks to the hard work of our information technology team, the majority of our internal and external systems are back online and are fully operational. We are committed to continuing to work tirelessly until 100% of the County’s systems are fully restored and will continue to keep the Hernando County website updated with the status of these systems.
The safety and wellbeing of our residents is our highest priority, and we sincerely regret the disruption and concern this has caused. We greatly appreciate the patience of Hernando County residents and businesses as we have worked to thoroughly investigate and remediate the situation.”
The VERIFY team works to separate fact from fiction so that you can understand what is true and false. Please consider subscribing to our daily newsletter, text alerts and our YouTube channel. You can also follow us on Snapchat, Instagram, Facebook and TikTok. Learn More »