Georgia courts appear to be latest victim of Ryuk ransomware
The state of Georgia’s judicial system became the latest government victim of a ransomware attack last weekend that has disabled some of its digital services.
The infection was first discovered Saturday during a routine scan on the servers of the Administrative Office of the Courts, courts spokesman Bruce Shaw told StateScoop. The office relayed the finding to the Georgia Technology Authority, the statewide IT agency, and also receiving assistance from the Georgia Emergency Management and Homeland Security Agency, the Georgia Bureau of Investigation, the FBI and the Multi-State Information Sharing and Analysis Center.
Shaw said the attack is limited to the Administrative Office of the Courts and individual courts’ networks are functional, though some operations may be slowed down if they rely on applications hosted on the central office’s servers, which were taken offline after the attack was discovered.
“We are working with our partners to assess and evaluate the situation and our primary focus at this time is to ensure our systems remain secure and that we get them back up and running as soon as possible,” Shaw said.
The attack was first reported by WXIA, the NBC affiliate in Atlanta.
Shaw did not identify the type of ransomware used in the attack. But a source with knowledge of the incident said the courts appear to have been hit by Ryuk, the same malware responsible for several attacks last month across a series of small cities in Florida, including two that paid hundreds of thousands of dollars to hackers to restore their systems.
Officials in Lake City, a community of about 12,000 people on the Florida panhandle, agreed last Tuesday to pay about $490,000 in bitcoin. That payment came barely a week after Riviera City, a 35,000 city near Palm Beach, ponied up about $594,000. Key Biscayne, just outside Miami, also reported last week being hit by Ryuk last week, though officials there have not yet made a public decision about whether to pay. Most of Lake City’s payment was covered by a cyber insurance policy (it paid a $10,000 deductible), and the city has also fired one member of its information technology staff in the wake of its experience.
The Ryuk malware is also often packaged with two other viruses: Emotet, a Trojan horse virus delivered through a phishing email containing an attachment designed to look like a Microsoft Word file, and TrickBot, which steals sensitive information from an infected computer and scans the network it’s connected to. According to the research firm Cybereason, opening the email attachment containing Emotet triggers a download of TrickBot. If TrickBot’s scan of the system it has infected determines the network can be compromised with Ryuk, the ransomware is then downloaded and encrypts the local files.
The multi-pronged attack has led to the Emotet-TrickBot-Ryuk combination sometimes being referred to as a “triple threat.”
Before the Georgia courts and the most recent Florida attacks, Ryuk attacks earlier this year targeted Jackson County, Georgia; Imperial County, California; and Stuart, Florida. Imperial County and Stuart did not pay their ransoms, though Jackson County acceded to a demand of roughly $400,000.
Ryuk was first identified last August after the hackers behind it collected nearly $640,000 from multiple targets in just the first two weeks after it was initially deployed. While early research linked its techniques to those used by cyberthreats in North Korea, a report published in February by McAfee and Coveware attributed Ryuk to hackers in either Eastern Europe or Russia. Additionally, the United Kingdom’s National Cyber Security Centre issued an alert last week warning that Ryuk is targeting organizations around the world.
Despite the relative geographic closeness of the recent Georgia and Florida attacks, though, any proximity is likely a coincidence, said Brett Callow, a spokesman for New Zealand cybersecurity firm Emsisoft, which specializes in ransomware decryption.
“We’ve no reason to believe these incidents are directly connected,” he said. “The success the threat actors have had in the southern US could be encouraging them to scan for vulnerable systems in that geographic area but, beyond that, it’s most likely random.”
