A ransomware attack hit Jackson County, Georgia computers, and cutting public activity down into a crawl until officials decided to pay cyber criminals $400,000 in exchange for the decryption file key.
In all County departments, including those for email and emergency services, the attack affected computer systems. Radio communication and phones remained fully functional, however, so people were still able to call 911. Yesterday, Jackson County Manager Kevin Poe told Online Athens that the network serving medical emergencies received a minimal blow as it was on a third-party provider.
Back to offices in the Paper Age County were forced to go back to paper to do their job, which drastically slowed down operations. For StateScoop, Jackson County Sheriff Janis Mangum said that when there were no computers, arresting bookings and reports would be done the old-fashioned way. As is typical of ransomware, the demand for payment was in bitcoins to reduce the chances of tracking it against the perpetrators.
Giving in to the request of the crooks happened because there was no backup system in place for the county, one that is separate from the network for daily operations of county government. If no backup is available, the victim will have to decide whether to pay or take a huge operational hit and be offline for a long time, spend money on rebuilding the network and hopefully adopt a strict data backup policy.
Some Ryuk numbers:
216.6 BTC was sent to the addresses we seen in samples.
190 BTC was sent to the addresses we seen in notes only.
1 of the addresses seen only from notes got more than 80 BTC in one transaction. If that was from a victim…
And this is in not even 3 months…
— MalwareHunterTeam (@malwrhunterteam) November 3, 2018
While proper data backup and maintenance is now the norm as protection against both system failures and ransomware infections, this measure is rarely seen in smaller communities like Jackson County. The FBI is currently investigating the attack and Poe said the cyber criminals used a fairly new strain of ransomware called “Ryunk” and operated by a group in Eastern Europe.
The malware is probably Ryuk, associated with a group suspected of being based in Eastern Europe, which borrows code from another piece of ransomware known as Hermes and attributed to the Lazarus group of North Korean hackers. However, Hermes was available to buy from the online underground community so it could have been bought by those behind Ryuk and took a few lines of code to make their own malware.
The security researcher MalwareHunterTeam first discovered Ryuk in August 2018. The researcher monitored the cybercriminals ‘ cryptocurrency wallets and found that in about four months of criminal activity they received more than 400 bitcoins. That’s hundreds of thousands of dollars in the United States.
Jackson County paid the criminals on Friday through a negotiating cyber security consultant with hackers. They received the correct key for decryption and began decrypting the information on the computers affected. Typically, Ryuk is used in targeted phishing attacks, probably the method used in the Jackson County case.
Among the latest victims of the malware are major U.S. newspapers from Tribune Publishing and Los Angeles Times, whose printing and delivery was severely affected by the December 2018 attack. The attack-affected publications include the Wall Street Journal, New York Times, Los Angeles Times, Chicago Tribune, Baltimore Sun, Lake County News-Sun, Post-Tribune, Hartford Courant, Capital Gazette, and Carroll County Times, among others.