CLEVELAND — The person claiming to be the hacker who attacked Cleveland Municipal Court said they are affiliated with a Russian-based ransomware gang in an e-mail with a News 5 Investigative Producer.
The alleged hacker said he's affiliated with Qilin, which has taken credit for cyberattacks around the globe.
Qilin is the name of the mythical Chinese creature, which is also known as a Chinese unicorn, and is considered pure and benevolent, according to multiple sources.
But Graham Cluley, a U.K.-based cybersecurity expert and keynote speaker, said the ransomware gang is far from good or kind.
"The ransomware gangs are the lowest of the low," he said. "They'e absolutely in the gutter."
"They have no qualms at all about who they hit. We have seen hospitals hit in the past. We've seen children's hospitals. Cancer hospitals. We saw during lockdown, we saw organizations who were trying to develop vaccines to save millions of people being attacked by ransomware," Cluley said. "The gangs don't care at all."
How does Qilin work?
"The Qilin ransomware gang is what we call 'ransomware as a service, ' which means that anyone can become an affiliate of the Qilin gang,' Cluley said. "You could be anywhere in the world. You may not have any computer knowledge, but you will use their infrastructure, their ransomware, their tech support and their leaking website in attacks against companies."
"The Qilin gang will get a percentage of any proceeds which you make but you get to keep the lion's share for yourself, so whoever has attacked the municipal court is doing it under the Qilin umbrella," he said.
The person claiming to be the Cleveland Municipal Court Hacker told News 5 the court did not pay the $4 million ransom.
Cluley said many organizations are pressured into negotiating and paying the group.
"Ransomware, unfortunately, is one of the most successful cybercrimes from the cybercriminal point of view," he said. "In the last few years, the criminals have made billions through ransomware attacks all around the world."
Who do they target?
"The thing with these ransomware gangs is they will really attack anyone," Cluley said.
They will later try and work out how much money you might have or how desperate you might be to actually pay the money."
"Now, obviously, a municipal court probably doesn't have huge amounts of funding, but they will use every trick in the book in order to try and scare you into taking action."
The court has not responded to News 5's questions about Qilin's tactics.
Cluley said Qilin's most high-profile ransomware attack occurred last summer in London.
He said U.K.'s National Health Service declared an emergency "critical incident" and canceled operations at several hospitals following the attack on Synnovis, a blood testing and transfusion company.
According to news reports, Qilin has also taken credit for attacking a newspaper group, a Japanese cancer treatment center, and Ukraine's Ministry of Foreign Affairs so far this year.
The cyberattack was first discovered on February 23rd.
As a result of the attacks, the court was shut down for over two weeks.
Last month, News 5 Investigators told you sensitive information, like social security numbers of court employees were posted on the dark web.
The court has also not answered our question about whether it has warned court workers and citizens that their personal information appears to have been put at risk.
Cluley said the court should be more upfront about how and why they were shut down.
"Everybody knows the court has been hit by ransomware. It's time to put your hands up and say, 'Yes, we have an active problem here. We are scurrying around trying to fix it,' he said.
"Openness, transparency is always the right way to respond, I believe," he said.
