Cyber Incident Victim: Georgia Capitol Police
Date:
Jul 2019
Location:
United States of America
Summary
A ransomware attack targeted multiple Georgia state law enforcement agencies, including the State Capitol Police, disrupting computer networks and forcing systems offline. The attack originated on a field laptop before spreading to other workstations, prompting authorities to shut down the entire network to contain the threat. Operations faced major disruptions as officers lost computer-based research capabilities and relied solely on radio dispatch and phone communications for law enforcement activities. While the attack hindered information access, it did not prevent officers from performing their duties. Multiple IT specialists and the FBI assisted in investigating the incident, though the specific ransomware demands remained unclear.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On July 26, 2019, the Georgia State Patrol confirmed a ransomware attack affecting multiple state law enforcement agencies, including the Georgia State Patrol, the State Capitol Police, and the commercial enforcement division. The incident was first detected approximately 24 hours prior when a suspicious message appeared on a field laptop operated by the Georgia State Patrol. As the ransomware spread to additional workstations across the network, officials made the decision to completely shut down the entire network serving the affected agencies to contain the threat. This immediate containment action occurred before the public disclosure of the incident on Friday. The network outage forced troopers and officers to rely exclusively on radio dispatch communications and telephone lines for law enforcement operations, eliminating their ability to access computer systems for routine activities. Officials characterized the incident as causing a "major disruption" to agency operations, particularly impairing personnel's capacity to research information through digital databases. Despite these challenges, authorities emphasized that officers remained capable of performing essential duties in the field without computer network access.
Multiple IT agencies and cybersecurity specialists initiated investigations into the attack shortly after its discovery, though the specific ransomware variant and attack vector remained unidentified at the time of reporting. By Saturday afternoon, networks for all three agencies remained offline as forensic examinations continued. The FBI formally announced its involvement in the investigation on Sunday evening, though no details regarding their specific investigative actions were disclosed. Officials did not confirm whether the ransomware operators had made any explicit demands or communicated ransom terms to the affected agencies. The incident highlighted operational vulnerabilities in law enforcement infrastructure, particularly the dependence on networked systems for information retrieval and communication. While the attack did not prevent officers from responding to incidents, it significantly degraded administrative efficiency and real-time data access capabilities across all three agencies until systems could be restored.