Contact Contact Us

Ransomware Disrupts Government Operation, Forces Payment

Jackson County in Georgia, US, suffered a Ryuk ransomware attack that crippled government operation since 1 March and forced a US$400,000 ransom payment to decrypt affected files. Investigation is ongoing to determine the initial infection, but Ryuk has previously been observed to be downloaded after a TrickBot trojan infection. TrickBot is primarily distributed via phishing emails containing Office documents that drop malicious payloads when a user enables macros to view the file content. After successful infection, TrickBot can spread in the network using its propagation modules (sharedll and tabdll) or create reverse-shell to execute obfuscated PowerShell scripts and establish RDP connections. When access to the domain controller is obtained, the hackers will use PsExec to push Ryuk binary to individual hosts. Ryuk operators have been active since at least December 2017 and netted over US$3.7 million in ransom payments.

[1] Georgia County Pays a Whopping $400,000 to Get Rid of a Ransomware Infection
[2] Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware
[3] A Nasty Trick: From Credential Theft Malware to Business Disruption

Ensign InfoSecurity Singapore
30A Kallang Place
Singapore 339213

Tel: +65 6788 2882
Fax: +65 6788 3883