Cyber Incident Victim: Jackson County
Date:
Mar 2019
Location:
United States of America
Summary
A ransomware attack using Ryuk, deployed via phishing, compromised Jackson County's computer systems, leading to a $400,000 Bitcoin ransom payment for decryption. The incident disrupted all government departments, forcing paper-based operations that slowed workflows, while emergency services remained partially functional through third-party providers and working phones; the lack of offline backups necessitated the payment, with the FBI attributing the attack to Eastern European actors using code linked to Hermes ransomware, part of a broader pattern affecting major U.S. media outlets.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
A ransomware attack struck Jackson County, Georgia, crippling government operations across all departments, including email systems and emergency services. The incident forced county offices to revert to paper-based processes, significantly slowing administrative functions such as arrest bookings, incident reports, and routine government activities. While radio communications and phone lines—including 911 services—remained operational, the attack disrupted digital systems essential for daily operations. Jackson County Manager Kevin Poe confirmed the medical emergency network experienced minimal disruption due to its reliance on a third-party provider. The attackers demanded payment in Bitcoin to obscure their identity, ultimately receiving $400,000 after county officials determined they lacked a functional backup system separate from their primary network. Without viable data backups, officials faced a choice between prolonged operational paralysis or paying the ransom to restore services.
The ransomware was identified as a variant likely related to Ryuk, a strain first documented in August 2018 and linked to Eastern European threat actors. Investigators noted Ryuk’s code shared similarities with Hermes ransomware, previously associated with North Korea’s Lazarus Group, though Hermes had been available for purchase in underground markets, leaving open the possibility of code reuse rather than direct attribution. The FBI investigated the attack while the county engaged a cybersecurity consultant to negotiate payment and verify the decryption key’s authenticity. Recovery efforts commenced immediately after decryption, though the preexisting absence of segregated backups exacerbated the disruption. Ryuk typically spreads via targeted phishing campaigns, aligning with the attack vector suspected in this incident. Prior high-profile Ryuk attacks included December 2018 incidents against Tribune Publishing outlets like the Los Angeles Times and Chicago Tribune, which suffered printing and distribution delays. Jackson County’s payment contributed to the over 400 Bitcoin—valued at hundreds of thousands of dollars—accumulated by Ryuk operators within four months of activity. The incident underscored operational vulnerabilities in smaller municipalities lacking robust backup infrastructure.