Security Experts:

Connect with us

Hi, what are you looking for?



Georgia County Criticized Over $400K Ransomware Payment

Jackson County, Georgia is just a little over 60 miles from the City of Atlanta. In March 2018, Atlanta was struck by a major ransomware attack. In March 2019, Jackson County suffered its own ransomware attack. Both attacks were successful targeted attacks — but that’s about all they have in common.

Jackson County, Georgia is just a little over 60 miles from the City of Atlanta. In March 2018, Atlanta was struck by a major ransomware attack. In March 2019, Jackson County suffered its own ransomware attack. Both attacks were successful targeted attacks — but that’s about all they have in common.

Atlanta chose not to pay the ransom — even though the malware was quickly recognized as SamSam, and the SamSam actors had a reputation for delivering decryption keys on payment. Jackson County, reportedly, decided to pay the ransom. The Atlanta ransom was set at a little over $50,000 (not paid). The Jackson County ransom, thought to be paid, was $400,000. Jackson County is thought to be decrypting its systems as this is written — but it’s too soon to know how effective the process will be.

County officials started noticing problems on March 1, 2019. By the end of the weekend they were in serious trouble. On Tuesday, March 5 they went public; and on Wednesday, March 6 they posted, “At this time all County email services are down,” on Facebook. On that day, Sheriff Janis Mangum told StateScoop, “Everything we have is down.” But very little else was known.

Over this weekend, a few more details have emerged. The County contacted both the FBI and security experts. The experts contacted the criminals and apparently brokered payment of the ransom — thought to be 100 bitcoins or around $400,000. This a huge increase on the amount demanded by the SamSam attackers from the City of Atlanta just twelve months ago. It illustrates the migration of ransomware from small amount, large scale scattergun against consumers, to targeted high value attacks against organizations — and especially government bodies. Governments tend to have lower security budgets, putting their money — the taxpayers’ money — into more visible services rather than opaque security.

It also emerged over the weekend that the ransomware employed is likely to be Ryuk. Ryuk seems to be becoming the primary contender for the SamSam crown following the U.S. indictment of two Iranian citizens over SamSam development and deployment.

Ryuk came to the fore in late summer 2018, when Check Point highlighted a campaign of targeted attacks, and suggested that the North Korean Lazarus group was behind it. In January 2019, several other security firms cast doubt over this attribution, more or less suggesting that any sophisticated criminal group could be behind it.

Meanwhile, Ryuk was also blamed for the cyberattack that disrupted the delivery of several major newspapers in the United States in late December 2018. While there are currently no details of the attack on Jackson County, Ryuk attacks typically start with the cybercriminals accessing the targeted network via weak remote desktop protocol (RDP) passwords. They then attempt to obtain administrator privileges, which they leverage to disable security software, spread to other systems, and encrypt files on the compromised devices.

The second major difference between Jackson County and Atlanta is that Jackson County decided to pay the ransom. It could be that the Atlanta experience was part of this decision process — by June 2018, Atlanta information management head Daphne Rackley said her department would likely require an additional $9.5 million over the coming year; with some estimates suggesting the total recovery cost may exceed $17 million. 

This raises an interesting moral dilemma. Worldwide official advice is that ransoms should not be paid. The argument is that only if criminals cease to make money will they cease their attacks. But at what point is the moral obligation to protect taxpayer money more important than the moral requirement to fight criminals? There is no easy answer to this question.

Steve Durbin, managing director of the Information Security Forum, told SecurityWeek, “Most folks will say that you should not pay, while others will say that it is OK. But remember, you could end up with a target on your back. The bottom line is that if you can’t do without the data, and you don’t have a backup, then paying is the only alternative you have left to recollect your information.”

Terence Jackson, CISO at Thycotic, has few doubts. “Frankly, paying a ransom is risky business,” he said. “There are no guarantees that you will actually get the decryption key, and once you do pay you will probably become the target of repeated attacks. The FBI has stated that they do not support paying a ransom, unless it’s absolutely necessary.”

But there is one common factor to all advice: prevention is better than cure. “Measures include training to identify ransomware attacks, procedures in place to maintain proper, air-gapped backups, and automation to identify any infrastructure security gaps and to eliminate other attack vectors,” says Mukul Kumar, CISO and VP of cyber practice at Cavirin.

The implication, although it is only an implication, is that organizations that feel forced to pay the ransom probably have not invested sufficiently in their disaster recovery and backup capabilities.

Related: Increasing Involvement of Nation-states in Ransomware Attacks 

Related: Legislation Would Stiffen Penalties for Ransomware Attacks 

Related: The Rapid Evolution of Ransomware in the Enterprise

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...