A ransomware attack hit the computers of Jackson County, Georgia, reducing government activity to a crawl until officials decided to pay cybercriminals $400,000 in exchange for the file decryption key.
The attack affected computer systems in all departments of the County, including those for email and emergency services. However, radio communication and phones remained fully functional, so people could still call 911.
The network serving medical emergencies received a minimal blow because it was on a third-party provider, Jackson County Manager Kevin Poe told Online Athens yesterday.
Back to Paper Age
County offices were forced to revert to paper to do their job, which slowed operations drastically. Jackson County Sheriff Janis Mangum said for StateScoop that arrest bookings and reports are done the old-fashioned way when there were no computers.
As it is typical with ransomware, the payment demand was in bitcoins, to lower the chances of tracking it to the perpetrators.
Giving in to the request of the crooks happened because the county did not have a backup system in place, one that is separate from the network for daily county government operations. If there is no backup available, the victim has to decide between paying or taking a huge operational hit and be offline for a long period, spend money to rebuild the network and, hopefully, adopt a strict data backup policy.
Although proper data backup system and maintenance is the norm nowadays as protection from both system failures and ransomware infections, this measure is rarely seen in smaller communities such as Jackson County.
Ryuk gang probably behind the attack
The FBI is currently investigating the attack and Poe said that the cybercriminals used a fairly new strain of ransomware called “Ryunk” and operating by a group in Eastern Europe.
The malware is likely Ryuk, associated with a group suspected to be based in Eastern Europe, which borrows code from another piece of ransomware known as Hermes and attributed to the North Korean hacker group Lazarus.
However, Hermes was available for purchase to the online underground community so those behind Ryuk could have bought it and taken a few lines of code to make their own malware.
Ryuk was first discovered by security researcher MalwareHunterTeamMalwareHunterTeam in August 2018. The researcher monitored the cryptocurrency wallets used by the cybercriminals and discovered that they received more than 400 bitcoins in about four months of criminal activity. This amounts to hundreds of thousands of US dollars.
Update after a month: now the addresses that were seen in samples in total received more than 400 BTC.
More than 400 BTC only in ~4 months… https://t.co/FPnIFibOv8
— MalwareHunterTeam (@malwrhunterteam) December 3, 2018
On Friday, Jackson County had paid the criminals via a cyber security consultant negotiates with hackers. They received the the correct decryption key and started to decrypt the information on the affected computers.
Ryuk is typically used in targeted attacks executed through phishing, likely the method used in the case of Jackson County.
Among the most recent victims of the malware are major newspapers in the US from Tribune Publishing and Los Angeles Times, whose printing and delivery were seriously affected by the attack back in December 2018.
The publications affected by the attack include the Wall Street Journal, New York Times, Los Angeles Times, Chicago Tribune, and Baltimore Sun, Lake County News-Sun, Post-Tribune, Hartford Courant, Capital Gazette, and Carroll County Times.