It may have been a ransomware gang that attacked the city of Columbus, Ohio, in mid-July, but there was never a ransom demand and the threat group never responded to attempts by city officials to negotiate.

That was the message Sam Orth, director of the city’s IT department, reportedly told the Columbus City Council September 9, adding another twist in a story that started to play out with an attack on the city July 18 and has since included the failed attempt by the Rhysida ransomware-as-a-service (RaaS) group to sell what it said was 6.5TB of data from the attack, the leak of 3.1TB of data, and questions about how truthful Columbus officials have been about the severity of the attack.

Most recently, the city on August 29 filed a lawsuit against an Ohio-based cybersecurity researcher who contradicted comments by Mayor Andrew Ginther that Columbus’ IT staff had successfully detected and shut down the attack and that any information stolen by the hackers was either encrypted or corrupted, making it unusable to the bad actors.

Now Orth is saying that no ransom demand was ever sent to the city and no one from the Rhysida group responded when city officials tried to reach out to them, according to a report by a local NBC affiliate. He didn’t address the other issues surrounding the incident, including the legal action against the researcher, Leroy Ross Jr., though he did give an assessment of attack, according to the report.

“What we learn changes by the hour,” Orth reportedly told the council. “There is no such thing as a perfect defense in cybersecurity.”

Investigation, Repairs Continue

The Rhysida attack disrupted city services and its ripple effects continue to be felt. According to a July 29 statement, the city’s IT department detected the intrusion and “identified the threat and took action to significantly limit potential exposure, which included severing internet connectivity.” Columbus officials also contacted the U.S. Department of Homeland Security and the FBI.

Orth said that despite the amount of work the city’s Department of Technology has done to repair the damage, it still was working bring 23 percent of Columbus’ 441 city applications back online. It also is resetting the passwords for all employees and systems, according to the WCMH NBC4 report.

He also said that the data leak by the RaaS group showed that the city held data of employees and citizens for at least 20 years and that the IT will review how long it should keep such information.

“What we collected 10 years ago might not be what we need to collect today,” Orth told the City Council. “To the extent that we have data that we don’t need anymore, if that indeed is the case, then we need to look at our retention policies and how we might change those policies going forward.”

Data for Sale

In late July, Rhysida reportedly put the 6.5TB of data up for sale, asking for 30 Bitcoin, or about $1.7 million. Failing that, the threat group leaked the 3.1TB of data. The attackers said that the stolen data included internal logins and passwords, emergency services applications for the city, and city camera video feeds.

However, Ginther called much of the data unusable, which Ross, the cyber researchers who goes by the professional name “Connor Goodwolf,” claimed was untrue. Ross pored through the leaked data, saying it included personal information of both city employees and residents, include driver’s license and Social Security numbers and data about Columbus police officers as well as victims and witnesses of crimes. At least two lawsuits have been filed against the city, which is the capital of Ohio and has about 913,000 residents.

Ross spoke with local media about what he found in the leaked data, which angered city officials and led to City Attorney Zach Klein filing the eight-page complaint against him, accusing him of invasion of privacy, negligence, and civil conversion. With the last charge, Klein claims that Ross took information belonging to the city and used it to benefit himself.

The Controversy Grows

The complaint stirred up its own controversy, both locally and nationally, with groups like the Electronic Frontier Foundation (EFF) saying it violated Ross’ First Amendment rights. In addition, Amelia Robinson, The Columbus Dispatch’s opinion and community engagement editor, wrote in a column for the city’s largest newspaper that she’d been notified by a credit card monitoring company that her information was on the dark web.

Robinson wrote that she likely would have put off taking any action on the situation “if not for a whistleblower who calls himself Connor Goodwolf professionally and in the ‘furry’ world. It is alarming that this cybersecurity expert is now in the city’s crosshairs.”

In addition, Jeff Nathan, director of detection engineering and threat research at cybersecurity firm Netography, wrote in an online letter to Klein calling the lawsuit “misguided and counterproductive. It aims to suppress critical information that citizens need to protect themselves from ongoing risks resulting from the ransomware attack on the City of Columbus.”

More than 100 cybersecurity and IT professionals have signed onto the letter.