Recently, new ransomware attacked Jackson County, Georgia, USA. The computers were all encrypted by ransomware. The attack directly caused all the computer systems in the county, including the mail system and the emergency services department, to be completely unavailable. Initially, Jackson County developed a variety of responses including immediate work with paper recovery and contact with the FBI for help in recovering the system as much as possible. But backfired, Jackson County finally compromised the attackers behind the attack and paid up to $400,000 in bitcoin for the correct decryption key.
Although many US state police and the Federal Bureau of Investigation recommend that ransomware attacks should not pay ransoms, so as not to encourage ransomware attackers. However, the computer system used in Jackson County does not have any data backup, and the long-term offline recovery of paper office cannot maintain the efficiency of the whole work.
After the evaluation, Jackson County believed that it was expensive and time-consuming to rebuild the entire system, so Jackson County had to contact the attacker to negotiate the key. Eventually, the attacker offered $400,000 in bitcoin and gradually decrypted it in batches. After the payment, the computer system in Jackson County finally returned to normal.
According to the US Federal Bureau of Investigation, the ransomware software that attacked Jackson County was named RYUNK. This was a relatively new ransomware that was discovered in August last year. The attackers behind the ransomware may be hacker groups in Eastern Europe, but unfortunately, this ransomware also took the RaaS service route.
RaaS is Ransomware as Service ransomware as a service, which means that the developer provides the software and then the purchaser directly modifies the code and delivers it.RYUNK mainly draws on the more active Hermes ransomware sold in the dark network. Buyers only need to modify some of the code as needed without developing it. So it is hard to say who the attacker behind this attack is. After all, there are too many active buyers in the dark network to buy this kind of ransomware for customization.