What is Ransomware? Georgia Court System Falls Victim to Cyberattack as Towns and Cities in Florida Pay More Than $1 Million to Hackers

A website and computer network which supports Georgia's court system has been taken offline following a ransomware cyberattack that was discovered last weekend, officials say.

On Monday, a spokesperson for the Administrative Office of the Courts, Bruce Shaw, confirmed systems were compromised by ransomware and said servers had been taken down as investigators probed the incident, WXIA-TV (11 Alive) reported. The government website remains offline at the time of writing.

"On Saturday morning the Administrative Office of the Courts discovered sophisticated malware on our servers. After an assessment of our system, it was determined that it would be best to take our network offline," the Georgia agency confirmed in a statement to Wired magazine. "Our primary focus at this time is to ensure our systems remain secure and that we get them back up and running as soon as possible."

Shaw stressed no private citizen information, such as social security numbers, had been stolen. In general, ransomware attacks lock computer files until money is paid to the hackers for their decryption. The digital extortion targets every type of organization and industry—and can be spread via malicious emails.

The Administrative Office of the Courts told Channel 2 Action News that individual court networks are not all affected but courts that use applications on its network may experience issues or delays. The affected website provides support to state, probate, magistrate, and municipal court councils.

In recent weeks, at least three Florida towns and cities fell victim to similar incidents and pledged to pay the hackers more than $1 million to restore their systems. Lake City, infected on June 10, decided to pay roughly $460,000 worth of bitcoin to the culprits, while officials at Riviera Beach agreed to pay out the equivalent of about $600,000. Key Biscayne computer networks were infected on June 23. An investigation is ongoing.

The Riviera Beach attack, which was sparked on May 19 after a police staffer opened a booby-trapped email attachment, knocked out some email and phone lines. The same happened in Lake City, and utility and water payments had to be filed in-person at city hall as credit card systems were no longer available.

It remains unknown who is responsible and if the attacks are linked.

Indeed, much remains unclear about the latest Georgia infection, including the strain of ransomware keeping a tight grip on the state's files and the exact amount of money being demanded. It shares key similarities to the "Ryuk" ransomware that was discovered in the Florida outbreaks, tech website Ars Technica reported.

A laptop displays a message after being infected by a ransomware as part of a worldwide cyberattack on June 27, 2017 in Geldrop. Victims in the U.S. are now being impacted by a strain known as "Ryuk," experts say. ROB ENGELAAR/AFP/Getty

Researchers describe Ryuk as a "triple threat" because it is often used alongside two additional strains of malware—called "TrickBot" and "Emotet." In the past it has been used in highly-targeted attacks.

According to WXIA-TV, Shaw said the Georgia ransom threat did not contain an exact financial demand, which matches ransom notes previously obtained from computers infected with Ryuk.

The strain was first detected in August last year and initially showed links to malware used by North Korean hackers. Other researchers have suggested it is more likely to be linked to Russian speaking hackers. Attributing cyberattacks to exact culprits remains extremely difficult, cyber experts say.

"Once Ryuk infects the machine, it starts to encrypt files and spreads through the network to infect more machines," Cybereason experts wrote in April. "This increases the damage and the likelihood that the victim will be willing to pay the ransom. This threat, due to its advanced capabilities and spreading ability, can cause a great deal of damage to an organization, from loss of money to brand degradation."

According to the U.K. National Cyber Security Centre, a fork of the signals intelligence agency Government Communications Headquarters (GCHQ), Ryuk's ransoms are set based on the victim's "perceived ability" to pay. In an advisory published on June 22, the NCSC warned that Ryuk is "a persistent infection."

The debate over whether to pay money to those responsible for the attacks has waged for years. In broad terms, law enforcement advises against it—but acknowledges it's not always a clear-cut decision.

The FBI, for example, explains online that paying "emboldens the adversary to target other victims for profit". Still, it concedes: "While the FBI does not support paying a ransom it recognizes executives, when faced with interoperability issues, will evaluate all options to protect their shareholders, employees, and customers." Upon infection, it urges victims to secure backup data by taking systems offline.

It is not the first time a cyber incident could prove costly for Georgia. In March last year, a ransomware outbreak impacted the City of Atlanta and encrypted approximately 3,800 computers. Hackers demanded the equivalent of $50,000 in bitcoin but the dark web portal used to pay later became inaccessible and no bitcoin was transferred.

The cost of recovery has totaled more than $7 million so far, The Atlanta Journal-Constitution reported. In December last year, two Iranian nationals were indicted for the devastating attack. They were named as Faramarz Shahi Savandi, aged 27, and Mohammed Mehdi Shah Mansouri, 34.

An IT researchers shows on a giant screen a computer infected by a ransomware at the LHS (High Security Laboratory) of the INRIA (National Institute for Research in Computer Science and Automation) in Rennes, on November 3, 2016. DAMIEN MEYER/AFP/Getty