Georgia’s court system has been hit with may be the fourth Ryuk ransomware strike against state and local agencies in the past month and a half.
At the time of publishing this article, the site was still down.
According to Atlanta’s Channel 11 News, officials confirmed on Monday that at least part of the court system’s network had been knocked offline by a ransomware attack.
Details about the extent of the damage haven’t been publicly disclosed, but officials say it’s much less severe than the attack against Atlanta that destroyed years of police dashcam video last year, as well as freezing systems. Six days after it was hit, Atlanta was still rescheduling court dates, police and other employees were still writing out reports by hand, and residents couldn’t go online to pay their water bills or parking tickets.
The earlier attack against Atlanta involved SamSam ransomware – a high-profile ransomware that was typically used in targeted attacks where cybercriminals break into a victim’s network and launch ransomware manually, to cause maximum damage and disruption.
The crooks demanded what was then roughly $52,000 worth of bitcoin. That paled in comparison to the $2.6 million worth of emergency contracts the city initiated to claw back its systems, and to the six figure ransoms demanded in similar targeted attacks by other gangs.
The nature of this latest attack on Georgia’s court system hasn’t yet been determined. Authorities said the extortionists’ note didn’t specify a specific ransom amount or demands. Although the attack doesn’t appear to be as crippling as the SamSam one from last year, they took the court network offline to stay on the safe side, authorities said.
While little details were available as of Tuesday afternoon, there’s a hint that the Georgia assault might involve Ryuk ransomware.
On Tuesday afternoon, Ars Technica’s Sean Gallagher tweeted a followup to his writeup of the Georgia attack, saying that he’d heard back from the Georgia Administrative Office of Courts. He was told that while the malware hasn’t yet been identified, it left a message with contact information for ransom operators, which is “consistent with Ryuk and other targeted ransomware,” Gallagher said.
As Naked Security’s Mark Stockley detailed back in December, Ryuk – a relatively new strain of targeted ransomware – ascended just as SamSam’s influence began to diminish in August 2018.
If so, it might be the fourth Ryuk attack against state and local agencies since May. The first three were against Florida cities, though it’s not entirely clear whether Ryuk was involved in the attack against Riviera Beach. At any rate, the cities that have fallen prey to some sort of ransomware in the past few weeks are:
- Riviera Beach, Florida, which agreed to pay attackers over $600,000 three weeks after its systems were crippled.
- Lake City, Florida, which was hit on 10 June by Ryuk ransomware, apparently delivered via Emotet. Lake City officials agreed to pay a ransom of about $490,000 in Bitcoin.
- Key Biscayne, Florida, which last week also got clobbered by an Emotet-delivered Ryuk attack. The city reportedly hasn’t yet decided if it’s going to pay the ransom.
On Monday, after its insurer had agreed to pay most of that $490K ransom, Lake City’s Joe Helfenberg confirmed that the city had fired its IT director, Brian Hawkins.
What to do?
For information about how targeted ransomware attacks work and how to defeat them, check out the SophosLabs 2019 Threat Report.
The bottom line is: if all else fails, you’ll wish you had comprehensive backups, and that they aren’t accessible to attackers who’ve compromised your network. Modern ransomware attacks don’t just encrypt data, they encrypt parts of the computer operating system too, so your backup plan needs to account for how you will restore entire machines, not just data.
For more on dealing with ransomware, listen to our Techknow podcast:
(Audio player above not working? Listen on Soundcloud or access via iTunes.)
Sophos products can help
Sophos Intercept X Advanced protects against ransomware. Learn how it detects and blocks attacks over on Sophos News.