A Russian-speaking group of cybercriminals may be connected to a ransomware attack that crippled the city of Mission in February.
An engagement letter with a law firm the city hired to deal with the attack described it as the “Qilin Ransomware Incident.”
Qilin doesn’t appear to be a word.
Qilin, on the other hand, is the name of a band of international cyber criminals that have been active since 2022.
The group generally steals sensitive data and encrypts systems belonging to cities and other organizations before holding them hostage.
In 2024, the group was described as the perpetrator of a debilitating hack against England hospital systems.
Publishing giant Lee Enterprises acknowledged last week that 40,000 social security numbers were exposed in a breach Qilin took credit for earlier this year.
The group also took credit for a ransomware attack on the city of Abilene in April, an attack that doesn’t appear to be dissimilar from the one Mission faced in February.
Abilene declined to pay the group the ransom it demanded and as of Tuesday was essentially waiting to see whether sensitive data stolen from the city made its way onto the internet.
The city of Mission didn’t this week respond to questions about Qilin and its possible involvement in the February ransomware attack.
The city also didn’t respond to a question about whether or not it had paid a ransom in relation to that incident.
Whether or not it did pay a ransom, the city’s already spent tens of thousands of dollars responding to the attack.
Contracts released last week through an open records request show that on the heels of the attack the city hired two law firms and a cybersecurity specialist that handles ransomware negotiations.
“Surefire will research the type of encryption software, its signatures, and the threat actor responsible for the incident,” the city’s agreement with Surefire Cyber says. “The intent of this research is to advise on the optimal strategy to take to maximize the likelihood of recovering Client’s property, in the shortest amount of time, at the lowest possible cost.”
The city also spent tens of thousands of dollars in recent months beefing up its cybersecurity infrastructure, buying things like new firewall infrastructure.
“We continue to dedicate significant resources to further bolstering our security, including establishing more robust network security, monitoring, and data redundancy,” the city said in a statement Tuesday. “This will build on the work we did with the cybersecurity experts who assisted in investigating and remediating this incident.”
The February ransomware attack in Mission resulted in all of the city’s servers and backup servers being encrypted, leaving the city unable to access records and hampering its ability to perform some basic municipal functions.
The attack was severe enough that the city requested a disaster declaration from Governor Greg Abbott.
Mission anticipated recovery efforts to last months.
As of Tuesday, the city says those efforts are ongoing.
“Regarding the cybersecurity incident, most internal city information systems are operational, however, we are still in the data recovery process. All external services to our residents are currently operational,” it said in a statement.
