A spokesman for Georgia’s Administrative Office of the Courts has confirmed that the AOC’s information technology team discovered ransomware on the organization’s servers on Saturday. While the spokesman could not provide specific details about the ransomware involved in the attack, its characteristics are consistent with the Ryuk ransomware that has struck multiple companies and government agencies over the past few months—including at least two Florida cities.
Bruce Shaw, communications and outreach specialist for the AOC, told Ars that a file containing contact information for the ransomware operators was left on the affected servers but that no specific ransom was demanded. “After an assessment of our system, it was determined that it would be best to take our network offline,” Shaw said.
The attack’s affects were isolated to servers providing the AOC’s applications—including case management. “Individual courts’ networks are not affected,” Shaw said. “Only courts who use applications hosted by our network might experience some delay in their local operations. Our understanding is that all courts are operational, but some processes normally handled by our applications may be impacted.”
After detecting the malware during what was described as a “routine security assessment,” the AOC’s IT team immediately contacted the Georgia Technology Authority, the state’s central IT agency. State and federal law enforcement and information security authorities—including the Multi State Information Sharing and Analysis Center (MS-ISAC), the Georgia Emergency Management & Homeland Security Agency, Georgia National Guard Cyber Protection Team, Georgia Bureau of Investigation, and the Federal Bureau of Investigation—were brought in to assist in the response.
As of today, the AOC and the teams brought in to assist have “started shifting our efforts to the recovery phase,” Shaw said. Services that were not affected by the ransomware are being shifted to new server environments as a precaution against any lingering ransomware on the existing server infrastructure. Meanwhile, Shaw noted, the AOC is “exploring alternatives for any affected services.” Those services, including case management, are normally provided via a Web portal to courts outside the Atlanta metropolitan area, “and those courts are currently using a manual process” based on their individual emergency operations plans, Shaw added.
Given the speed with which the ransomware attack on Georgia AOC was caught and its limited impact, the agency will not be paying any ransom. Meanwhile, a crisis public relations firm for one of the three Florida cities hit by ransomware in June announced today that the city had transferred $600,000 worth of bitcoin to the attacker that had taken down its systems.
The city of Riviera Beach‘s payment was largely covered by insurance—the city will only be responsible for a $10,000 deductible, and the insurance will cover the remainder of both the ransom and the fee for the PR agency, Levick Public Relations. “City Council determined, by unanimous vote, that instructing the City’s insurance carrier to pay the ransom was in the best interest of Riviera Beach residents,” a spokesperson from Levick said in a statement sent to media.
Riviera Beach will also spend over $1 million to replace or restore systems compromised in the ransomware attack. The decision by Riviera Beach’s city council to pay the ransom may have been motivated by the city’s insurer and by the damage done in Baltimore City by a ransomware attack in May.