Ransomware is a nightmare for business. All it takes is one
user in the targeted department and the workday becomes very interesting, very
quickly. One set of targets are the government units throughout the states.
This includes massive cities, towns, counties, and other units. These entities have
limited resources, which seem to be diminishing relatively every year. A recent
successful attack occurred against Jackson County in Georgia. Jackson County is
located in southeast Georgia, approximately 60 miles from Atlanta.
Ransomware
Ransomware, unfortunately, is everywhere. This is executed
at different levels with the basic variants and much more advanced with many more
functions. Clearly, there was a breach. The staff began to notice an issue when
computers, services, websites, and email addresses ceased operating on March 1st.
The county let the public know on March 5 there was an issue. On March 6, the county
posted their email system was down with a Facebook post. It took them a few
days to understand what had happened. In particular, this attack was rather
advanced, using the Ryuk ransomware strain. This was coded to sever their
online communications in addition to the usual symptoms. This shut down their
entire computer and internet network. The county in the interim had to do
everything with paper. The attackers are estimated to have been in the system
for a couple of weeks prior to the ransomware being executed. The attack's focus
was to gain access to the police and county records. In effect, every device
connected to the internet was shut down. Fortunately, the 911 system was not
affected.
Help!
The county contacted the FBI and other cybersecurity
experts. After the review, they found they could not correct the attack’s
effects. They did attempt to decrypt the files and systems for a week with no
luck. The county decided to pay the ransom. They could have continued to try
and decrypt this for months with no luck. The county hired a cybersecurity
response consultant to negotiate the ransom. The ransom requested was 100
Bitcoins. At that time, this amount was approximately $400k. Unfortunately, the
ransom payment was paid. They needed to do this. Without the decrypt key, all
the equipment would be bricks and files not accessible. The county would need
to replace all the equipment and start all over. The payment was more of a
business decision. The status of backups was not published. It’s presumed there
was an issue with this, as this normally would be a viable alternative.
This is not the first-time successful ransomware attack had occurred
in Georgia. There was the Atlanta attack in 2018. In this instance, the city
did not pay the ransom. They replaced all the equipment. The immediate cost was
$2.6M. The total cost was nearly $17M.
Thoughts
Prevention…prevention…prevention. The issue may be
alleviated somewhat with pertinent, sustained training. Training staff with
what to look up for with these is the focus. Also, with the Ryuk strain, the
attack vector may be weak RDP passwords. There may be training for this along
with updating the password conventions.
Resources
Dark Reading. (2019, March 11). Georgia’s Jackson county
pays $400k to ransomware attackers. Retrieved from https://www.darkreading.com/attacks-breaches/georgias-jackson-county-pays-$400k-to-ransomware-attackers/d/d-id/1334124
Ford, W. (2019, March 8). Cyber attack forces Jackson county
to pay $400k ransom. Retrieved from https://www.onlineathens.com/news/20190308/cyber-attack-forces-jackson-county-to-pay-400k-ransom
Forsythe, K. (2019, March 14). Ryuk saga: County government
pays nearly $400k to hackers. Retrieved from https://medium.com/@newworldoptimist/county-government-pays-nearly-400k-to-hackers-ef95ea889159
Townsend, K. (2019, March 11). Georgia county criticized
over $400k ransomware payment. Retrieved from https://www.securityboulevard.com/2019/03/jackson-county-criticized-over-400k-ransomware-payment
Truta, F. (2019, March 11). Jackson county pays
ransomware operators $400k to regain access to computers. Retrieved from https://securityboulevard.com/2019/03/jackson-county-pays-ransomware-operators-400k-to-regain-access-to-computers/
No comments:
Post a Comment