Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Georgia County Criticized Over $400K Ransomware Payment

Jackson County, Georgia is just a little over 60 miles from the City of Atlanta. In March 2018, Atlanta was struck by a major ransomware attack. In March 2019, Jackson County suffered its own ransomware attack. Both attacks were successful targeted attacks — but that’s about all they have in common.

Jackson County, Georgia is just a little over 60 miles from the City of Atlanta. In March 2018, Atlanta was struck by a major ransomware attack. In March 2019, Jackson County suffered its own ransomware attack. Both attacks were successful targeted attacks — but that’s about all they have in common.

Atlanta chose not to pay the ransom — even though the malware was quickly recognized as SamSam, and the SamSam actors had a reputation for delivering decryption keys on payment. Jackson County, reportedly, decided to pay the ransom. The Atlanta ransom was set at a little over $50,000 (not paid). The Jackson County ransom, thought to be paid, was $400,000. Jackson County is thought to be decrypting its systems as this is written — but it’s too soon to know how effective the process will be.

County officials started noticing problems on March 1, 2019. By the end of the weekend they were in serious trouble. On Tuesday, March 5 they went public; and on Wednesday, March 6 they posted, “At this time all County email services are down,” on Facebook. On that day, Sheriff Janis Mangum told StateScoop, “Everything we have is down.” But very little else was known.

Over this weekend, a few more details have emerged. The County contacted both the FBI and security experts. The experts contacted the criminals and apparently brokered payment of the ransom — thought to be 100 bitcoins or around $400,000. This a huge increase on the amount demanded by the SamSam attackers from the City of Atlanta just twelve months ago. It illustrates the migration of ransomware from small amount, large scale scattergun against consumers, to targeted high value attacks against organizations — and especially government bodies. Governments tend to have lower security budgets, putting their money — the taxpayers’ money — into more visible services rather than opaque security.

It also emerged over the weekend that the ransomware employed is likely to be Ryuk. Ryuk seems to be becoming the primary contender for the SamSam crown following the U.S. indictment of two Iranian citizens over SamSam development and deployment.

Ryuk came to the fore in late summer 2018, when Check Point highlighted a campaign of targeted attacks, and suggested that the North Korean Lazarus group was behind it. In January 2019, several other security firms cast doubt over this attribution, more or less suggesting that any sophisticated criminal group could be behind it.

Meanwhile, Ryuk was also blamed for the cyberattack that disrupted the delivery of several major newspapers in the United States in late December 2018. While there are currently no details of the attack on Jackson County, Ryuk attacks typically start with the cybercriminals accessing the targeted network via weak remote desktop protocol (RDP) passwords. They then attempt to obtain administrator privileges, which they leverage to disable security software, spread to other systems, and encrypt files on the compromised devices.

The second major difference between Jackson County and Atlanta is that Jackson County decided to pay the ransom. It could be that the Atlanta experience was part of this decision process — by June 2018, Atlanta information management head Daphne Rackley said her department would likely require an additional $9.5 million over the coming year; with some estimates suggesting the total recovery cost may exceed $17 million. 

Advertisement. Scroll to continue reading.

This raises an interesting moral dilemma. Worldwide official advice is that ransoms should not be paid. The argument is that only if criminals cease to make money will they cease their attacks. But at what point is the moral obligation to protect taxpayer money more important than the moral requirement to fight criminals? There is no easy answer to this question.

Steve Durbin, managing director of the Information Security Forum, told SecurityWeek, “Most folks will say that you should not pay, while others will say that it is OK. But remember, you could end up with a target on your back. The bottom line is that if you can’t do without the data, and you don’t have a backup, then paying is the only alternative you have left to recollect your information.”

Terence Jackson, CISO at Thycotic, has few doubts. “Frankly, paying a ransom is risky business,” he said. “There are no guarantees that you will actually get the decryption key, and once you do pay you will probably become the target of repeated attacks. The FBI has stated that they do not support paying a ransom, unless it’s absolutely necessary.”

But there is one common factor to all advice: prevention is better than cure. “Measures include training to identify ransomware attacks, procedures in place to maintain proper, air-gapped backups, and automation to identify any infrastructure security gaps and to eliminate other attack vectors,” says Mukul Kumar, CISO and VP of cyber practice at Cavirin.

The implication, although it is only an implication, is that organizations that feel forced to pay the ransom probably have not invested sufficiently in their disaster recovery and backup capabilities.

Related: Increasing Involvement of Nation-states in Ransomware Attacks 

Related: Legislation Would Stiffen Penalties for Ransomware Attacks 

Related: The Rapid Evolution of Ransomware in the Enterprise

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.