Ransomware attacks have been spreading across the United States in the past few weeks at a pretty steady rate: back in June, two municipal governments were put a standstill while the city of Baltimore, who has refused to pay the ransomware, was allocated an extra $10 million by the City Board to aid it deal with the situation.
Baltimore is still struggling with a number of systems, even if it’s been eight weeks since the attack.
Florida’s Lake City however did agree to pay the hackers $490,000 in bitcoin and, just a week later, Riviera City also paid up $594,000 after having to deal with a similar attack.
The latest government branch taken hostage by ransomware is Georgia’s judicial system, who came under attack last weekend and saw some of its digital services disabled.
The attack was discovered on Saturday during a routine scan done on the servers of the Administrative Office of the Courts. The discovery was passed on the the Georgia Technology Authority, who started to work alongside the Georgia Emergency Management and Homeland Security Agency, the Georgia Bureau of Investigation, the FBI and the Multi-State Information Sharing and Analysis Center.
Courts spokesman Bruce Shaw did not say what ransomware was used in the attack but, according to a StateScoop source, they might be dealing with Ryuk, a virus that often comes with Emotet and TrickBot backpacking on it.
Emotet is a Trojan that gets delivered through a phishing email that contains a fake Microsoft Word file. Once that attachment is opened, TrickBot is released. This virus, on the other hand, is responsible for stealing information from the infected computer and for scanning the network the computer is connected to.
Once TrickBot determines that the network can be compromised it starts to release Ryuk, which is the last one to download and which encrypts the local files. It’s suspected that Ryuk was the same virus that was used to attack the two Florida cities as well.
The situation in Georgia for now is somewhat under control, according to Shaw. The attack only reached the Administrative Office of the Courts. The individual courts’ networks are still functional, though some operations will see delays, especially if they happen to depend on the applications that were hosted on the central office servers – those servers were taken offline immediately after the attack came to light.
“We are working with our partners to assess and evaluate the situation and our primary focus at this time is to ensure our systems remain secure and that we get them back up and running as soon as possible,” Shaw had said.
Georgia and Florida are geographically close and, in spite of the fact that the same virus was allegedly used for all three attacks and that they happened at a steady pace one after the other, Brett Callow, spokesman for cybersecurity firm Emisisoft, has said that it’s all just a coincidence.
“We’ve no reason to believe these incidents are directly connected,” Callow explained. “The success the threat actors have had in the southern US could be encouraging them to scan for vulnerable systems in that geographic area but, beyond that, it’s most likely random.”