Ryuk ransomware has attacked Georgia’s court system. This appears to be the fourth attack against government institutions in the past couple of months. Officials confirmed that at least some parts of the court system’s network were taken offline due to the ransomware.
According to CNN, after receiving a ransom note, Georgia officials decided to take a system offline just in case, to be safe. Bruce Shaw, an official with the state court system, said:
Our systems have been compromised, so we have quarantined our servers and shut off our network to the outside. We haven’t figured that out yet, we would love to. It could be a matter of opportunity, I think.
The good news is that private information hasn’t been compromised in the attack because officials were quick to react after reading the ransom note. This is because taking a system offline makes time to get rid of the malware and secure it against future endeavors.
Ryuk Ransomware Most Likely Behind the Attack against Georgia’s Court System
The details surrounding the attack are scarce but it appears that it involved Ryuk ransomware.
The ransomware has a new version released in June which has IP blacklisting capabilities and is designed to check the output of the “arp –a” parameter for specific IP address strings. In case these strings are found, the ransomware will not encrypt the files on that computer. Here are some of the partial IP address strings in question: 10.30.4, 10.30.5, 10.30.6, or 10.31.32.
Another update of Ryuk includes the ransomware comparing the computer name to the strings “SPB”, “Spb”, “spb”, “MSK”, “Msk”, and “msk”, and if those are found, the computer won’t be encrypted.
It is most likely that all this is done so that the ransomware operators don’t target computers in Russia for encryption.
Besides these changes, the ransomware proceeds with its usual encryption process. As we wrote back in December, 2018, when it was first released, Ryuk Ransomware will encrypt the victim’s data and demand a ransom to get it restored.
Files will receive the .RYK extension as a secondary one, without any changes made to the original name of an encrypted file. The ransomware will also leave instructions inside a text file.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: