After considering the potential costs and benefits, Jackson County, Georgia determined that paying the ransom demand to unlock files encrypted in ransomware attack was the best option, even though the ransom demand was around $400,000.
The attack occurred over the weekend of March 2/3, 2019, and resulted in the widespread encryption of data. The email system of the country’s government was taken out of action, and even systems used by the emergency services were taken offline. Sheriff Janis Mangum explained to local media on Tuesday March 5, that all county departments had been affected by the attack.
With no access to computers, day-to-day operations had to be conducted on paper. Even law enforcement had to conduct arrest bookings on paper and submit paper reports. While most departments remained open and were able to continue working, most government activities slowed to a snail’s pace.
Many businesses have been attacked with ransomware and have decided to pay the ransom. The time, disruption to business services, and the ongoing costs make payment of the ransom preferable. There is no guarantee that paying a ransom demand will see the attackers provide viable keys to unlock encrypted files, but it is a chance that some businesses take, especially when the ransom demand is not particularly high.
For Jackson County, that was not an option. There was no backup system that could be used to restore files for county government operations. Jackson County therefore faced months and months of disruption while systems were rebuilt from scratch. Even though the ransom demand was considerable, the decision was taken to pay. The cost of recovering files and systems without the keys to unlock the encryption could have been several orders of magnitude higher.
The ransomware attack on the City of Atlanta serves as a good example. The attackers issued a ransom demand of around $52,000 in cryptocurrency but the city refused to pay. The cost of recovery was initially thought to be around $2.6 million, although estimates have since risen to around $17 million.
An expert cybersecurity response consultant was hired by Jackson County to help negotiate with the attackers, according to Jackson County Manager Kevin Poe. He said that the attackers appeared to have been in the system for a couple of weeks before deploying the ransomware and that the attack was coordinated to cause maximum damage.
Prior to paying the attackers, they were confirmed as being the individuals behind the attack and a test file was decrypted free of charge as proof that they had viable decryption keys. Even with the keys it is taking time to bring systems back online. Priority is being given to systems needed by the emergency services.
Poe explained to Athens Online that the ransomware variant used in the attack was a new variant called Ryunk. That may be a variant of Ryuk ransomware, which has been used in several recent ransomware attacks. The gang behind that ransomware variant have been using it since around August 2018 and many of their victims have paid up. By the end of the year, MalwareHunterTeam tweeted that the BTC accounts used by the attackers had received more than 400 BTC in payments – That’s more than $1.5 million.
The gang is known for planned attacks on large companies and government agencies, including the Tribune Publishing attacks last year that resulted in the encryption of files at several U.S. Newspapers in December 2018.
The latest attack shows just how critical it is for backups to be made of all essential files and all systems, and for at least one copy of a backup to be stored on a non-networked device.