Jackson County, Georgia is just a little over 60 miles from the City of Atlanta. In March 2018, Atlanta was struck by a major ransomware attack. In March 2019, Jackson County suffered its own ransomware attack. Both attacks were successful targeted attacks — but that’s about all they have in common.
Atlanta chose not to pay the ransom — even though the malware was quickly recognized as SamSam, and the SamSam actors had a reputation for delivering decryption keys on payment. Jackson County, reportedly, decided to pay the ransom. The Atlanta ransom was set at a little over $50,000 (not paid). The Jackson County ransom, thought to be paid, was $400,000. Jackson County is thought to be decrypting its systems as this is written — but it’s too soon to know how effective the process will be.
County officials started noticing problems on March 1, 2019. By the end of the weekend they were in serious trouble. On Tuesday, March 5 they went public; and on Wednesday, March 6 they posted, “At this time all County email services are down,” on Facebook. On that day, Sheriff Janis Mangum told StateScoop, “Everything we have is down.” But very little else was known.
Over this weekend, a few more details have emerged. The County contacted both the FBI and security experts. The experts contacted the criminals and apparently brokered payment of the ransom — thought to be 100 bitcoins or around $400,000. This a huge increase on the amount demanded by the SamSam attackers from the City of Atlanta just twelve months ago. It illustrates the migration of ransomware from small amount, large scale scattergun against consumers, to targeted high value attacks against organizations — and especially government bodies. Governments tend to have lower security budgets, putting their money — the taxpayers’ money — into more visible services rather than opaque security.
It also emerged over the weekend that the ransomware employed is likely to be Ryuk. Ryuk seems to be becoming the primary contender for the SamSam crown following the U.S. indictment of two Iranian citizens over SamSam development and deployment.
Ryuk came to the fore in late summer 2018, when Check Point highlighted a campaign of targeted attacks, and suggested that the North Korean Lazarus group was behind it. In January 2019, several other security firms cast doubt over this attribution, more or less suggesting that any sophisticated criminal group could be behind it.
Meanwhile, Ryuk was also blamed for the cyberattack that disrupted the delivery of several major newspapers in the United States in late December 2018. While there are currently no details of the attack on Jackson County, Ryuk attacks typically start with the cybercriminals accessing the targeted network via weak remote desktop protocol (RDP) passwords. They then attempt to obtain administrator privileges, which they leverage to disable security software, spread to other systems, and encrypt files on the compromised devices.
The second major difference between Jackson County and Atlanta is that Jackson County decided to pay the ransom. It could be that the Atlanta experience was part of this decision process — by June 2018, Atlanta information management head Daphne Rackley said her department would likely require an additional $9.5 million over the coming year; with some estimates suggesting the total recovery cost may exceed $17 million.
This raises an interesting moral dilemma. Worldwide official advice is that ransoms should not be paid. The argument is that only if criminals cease to make money will they cease their attacks. But at what point is the moral obligation to protect taxpayer money more important than the moral requirement to fight criminals? There is no easy answer to this question.
Steve Durbin, managing director of the Information Security Forum, told SecurityWeek, “Most folks will say that you should not pay, while others will say that it is OK. But remember, you could end up with a target on your back. The bottom line is that if you can’t do without the data, and you don’t have a backup, then paying is the only alternative you have left to recollect your information.”
Terence Jackson, CISO at Thycotic, has few doubts. “Frankly, paying a ransom is risky business,” he said. “There are no guarantees that you will actually get the decryption key, and once you do pay you will probably become the target of repeated attacks. The FBI has stated that they do not support paying a ransom, unless it’s absolutely necessary.”
But there is one common factor to all advice: prevention is better than cure. “Measures include training to identify ransomware attacks, procedures in place to maintain proper, air-gapped backups, and automation to identify any infrastructure security gaps and to eliminate other attack vectors,” says Mukul Kumar, CISO and VP of cyber practice at Cavirin.
The implication, although it is only an implication, is that organizations that feel forced to pay the ransom probably have not invested sufficiently in their disaster recovery and backup capabilities.