Ryuk ransomware has attacked Georgia’s court system. This appears to be the fourth attack against government institutions in the past couple of months. Officials confirmed that at least some parts of the court system’s network were taken offline due to the ransomware.
According to CNN, after receiving a ransom note, Georgia officials decided to take a system offline just in case, to be safe. Bruce Shaw, an official with the state court system, said:
Our systems have been compromised, so we have quarantined our servers and shut off our network to the outside. We haven’t figured that out yet, we would love to. It could be a matter of opportunity, I think.
The good news is that private information hasn’t been compromised in the attack because officials were quick to react after reading the ransom note. This is because taking a system offline makes time to get rid of the malware and secure it against future endeavors.
Ryuk Ransomware Most Likely Behind the Attack against Georgia’s Court System
The details surrounding the attack are scarce but it appears that it involved Ryuk ransomware.
The ransomware has a new version released in June which has IP blacklisting capabilities and is designed to check the output of the “arp –a” parameter for specific IP address strings. In case these strings are found, the ransomware will not encrypt the files on that computer. Here are some of the partial IP address strings in question: 10.30.4, 10.30.5, 10.30.6, or 10.31.32.
Another update of Ryuk includes the ransomware comparing the computer name to the strings “SPB”, “Spb”, “spb”, “MSK”, “Msk”, and “msk”, and if those are found, the computer won’t be encrypted.
It is most likely that all this is done so that the ransomware operators don’t target computers in Russia for encryption.
Besides these changes, the ransomware proceeds with its usual encryption process. As we wrote back in December, 2018, when it was first released, Ryuk Ransomware will encrypt the victim’s data and demand a ransom to get it restored.
Files will receive the .RYK extension as a secondary one, without any changes made to the original name of an encrypted file. The ransomware will also leave instructions inside a text file.