Jackson County paid $400,000 to crooks after ransomare attack

Ransomware threat makes the headlines again, this time an attack hit the computers of Jackson County, Georgia, paralyzing the government activity.

Computers of Jackson County, Georgia, were infected with ransomware that paralyzed the government activity until officials decided to pay a $400,000 ransom to decrypt the files.

“The Jackson County government paid online criminals about $400,000 this week following a cyber attack that crippled the county’s computer system.” reported the Online Athens.

“County officials are in the process of decrypting computers and servers a week after the first signs of an attack, said Jackson County Manager Kevin Poe on Friday.”

The computers at all the departments at the Jackson County were infected with the malware, including emergency and email services, only 911 operations were not affected.

“At this time all County email services are down. If you need to reach county offices please call them by phone. You can visit our find the phone numbers on this website by clicking on Government and then the listing for the department you need to talk to.” reads the advisory published by the Jackson County.

The media reported that county offices were forced to use the paper during the attack with an important impact on the operations.

Officials at the County decided to pay the ransom to avoid a long-term interruption of the services. The decision suggests the IT staff at the County did not have backups, or that in some way backups were encrypted too because they weren’t properly managed.

“They demanded ransom,” said Jackson County Manager Kevin Poe. “We had to make a determination on whether to pay. We could have literally been down months and months and spent as much or more money trying to get our system rebuilt.”

“All of our operations are still ongoing, but we’re basically having to do it the old fashioned way,” Poe added. “During this whole time we never lost our radios or phone service, so 911 was able to continue to operate. The emergency medical service was on a third party provider so it had minimal impact on EMS service.”

The FBI immediately launched an investigation, the feds believe the attack was carried out by a threat actor from eastern Europe.

Poe added that malware that hit the County is the Ryuk ransomware.

The Ryuk ransomware appears connected to Hermes malware that was associated with the notorious Lazarus APT group.

The same ransomware was recently used in an attack that affected the newspaper distribution for large major newspapers, including the Wall Street Journal, the New York Times, and the Los Angeles Times.

Further investigation on the malware allowed the experts from security firms FireEye and CrowdStriketo discover that threat actors behind the 
Ryuk ransomware are working with another cybercrime gang to gain access to target networks. They are collaborating with threat actors behind TrickBot, a malware that once infected a system creates a reverse shell back to the attackers allowing them to break into the network.

Experts at Crowdstrike believe the Ryuk ransomware is operated by a crime gang they tracked as GRIM SPIDER, in particular by its Russian based cell dubbed WIZARD SPIDER that is behind TrickBot.

Experts pointed out that Hermes was available for sale into the online underground community, attackers could have purchased it to create their own version of Ryuk.

At the time it is not clear how hackers infected the systems at the
Jackson County, experts believe the attackers used phishing messages as the attack vector.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – ransomware, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]