Ransomware is a nightmare for business. All it takes is one user in the targeted department and the workday becomes very interesting, very quickly. One set of targets are the government units throughout the states. This includes massive cities, towns, counties, and other units. These entities have limited resources, which seem to be diminishing relatively every year. A recent successful attack occurred against Jackson County in Georgia. Jackson County is located in southeast Georgia, approximately 60 miles from Atlanta.
Ransomware, unfortunately, is everywhere. This is executed at different levels with the basic variants and much more advanced with many more functions. Clearly, there was a breach. The staff began to notice an issue when computers, services, websites, and email addresses ceased operating on March 1st. The county let the public know on March 5 there was an issue. On March 6, the county posted their email system was down with a Facebook post. It took them a few days to understand what had happened. In particular, this attack was rather advanced, using the Ryuk ransomware strain. This was coded to sever their online communications in addition to the usual symptoms. This shut down their entire computer and internet network. The county in the interim had to do everything with paper. The attackers are estimated to have been in the system for a couple of weeks prior to the ransomware being executed. The attack’s focus was to gain access to the police and county records. In effect, every device connected to the internet was shut down. Fortunately, the 911 system was not affected.
The county contacted the FBI and other cybersecurity experts. After the review, they found they could not correct the attack’s effects. They did attempt to decrypt the files and systems for a week with no luck. The county decided to pay the ransom. They could have continued to try and decrypt this for months with no luck. The county hired a cybersecurity response consultant to negotiate the ransom. The ransom requested was 100 Bitcoins. At that time, this amount was approximately $400k. Unfortunately, the ransom payment was paid. They needed to do this. Without the decrypt key, all the equipment would be bricks and files not accessible. The county would need to replace all the equipment and start all over. The payment was more of a business decision. The status of backups was not published. It’s presumed there was an issue with this, as this normally would be a viable alternative.
This is not the first-time successful ransomware attack had occurred in Georgia. There was the Atlanta attack in 2018. In this instance, the city did not pay the ransom. They replaced all the equipment. The immediate cost was $2.6M. The total cost was nearly $17M.
Prevention…prevention…prevention. The issue may be alleviated somewhat with pertinent, sustained training. Training staff with what to look up for with these is the focus. Also, with the Ryuk strain, the attack vector may be weak RDP passwords. There may be training for this along with updating the password conventions.
Dark Reading. (2019, March 11). Georgia’s Jackson county pays $400k to ransomware attackers. Retrieved from https://www.darkreading.com/attacks-breaches/georgias-jackson-county-pays-$400k-to-ransomware-attackers/d/d-id/1334124
Ford, W. (2019, March 8). Cyber attack forces Jackson county to pay $400k ransom. Retrieved from https://www.onlineathens.com/news/20190308/cyber-attack-forces-jackson-county-to-pay-400k-ransom
Forsythe, K. (2019, March 14). Ryuk saga: County government pays nearly $400k to hackers. Retrieved from https://medium.com/@newworldoptimist/county-government-pays-nearly-400k-to-hackers-ef95ea889159
Townsend, K. (2019, March 11). Georgia county criticized over $400k ransomware payment. Retrieved from https://www.securityboulevard.com/2019/03/jackson-county-criticized-over-400k-ransomware-payment
Truta, F. (2019, March 11). Jackson county pays ransomware operators $400k to regain access to computers. Retrieved from https://securityboulevard.com/2019/03/jackson-county-pays-ransomware-operators-400k-to-regain-access-to-computers/
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.
Share on Facebook
Share on Twitter
I'm busy working on my blog posts. Watch this space!