Data Breach of the Month: Jackson County

By Walker Banerd April 8, 2019 data-breach, security-orchestration-automation-response

Welcome back to our Data Breach of the Month series, where we look at a notable cyber incident or data breach from the past month. Sometimes we’ll offer deeper analysis of the latest state-sponsored mega breach, and other times we’ll focus on a lesser known incident that has outsized implications for the security industry.

In each case, you’ll learn the type of data breached, the vulnerabilities or gaps that were exploited, and what organizations can do to remediate effectively and address potential root causes.

So without further ado, our breach of the month for March, 2019 is… the lucrative ransomware attack against Jackson County, Georgia.

 

What Happened?

Ransomware may have slipped from the dominant place in cybersecurity headlines that it held a year ago, but it is still a major threat. Public sector entities still appear to be a particularly appealing target, likely due to their smaller cybersecurity budgets and lack of proper backups, when compared to large private sector companies. We covered one such ransomware attack against the City of Atlanta in a previous article, and Orange County, North Carolina was hit by ransomware for a third time just last month.

The costliest public sector ransomware attack in recent memory, however, was against Jackson County, a county in Georgia with a population of 60,000. After the county’s systems were locked for about a week, leaving many important tasks to be done with pen and paper, county officials paid $400,000 to the attackers to get their files decrypted.

 

How Did it Happen?

The attackers reportedly used the Ryuk ransomware strain, which is generally deployed by an Eastern European gang. Their usual method is to take a long-term approach to attacks, infecting targets with Emotet or Trickbot malware, then mapping the network to determine which systems to target and lock with ransomware. Ryuk ransomware payments are notoriously high, compared to the average ransom of less than $7,000 for other strains. Unfortunately for those who choose to pay the ransom, the decryption tool for Ryuk is notoriously unreliable, so there is no guarantee that all files will be perfectly restored.

 

How to Minimize the Risk of this Type of Breach

The attack methodology of the Ryuk gang is a good example of the cyber kill chain—the steps that attackers follow in the course of an attack. If you can detect the attack at any point before the end of the chain, you have a good chance to stop it. For example, if Jackson County had detected the attackers’ presence on their network while they were determining which systems to target, then they could have prevented the ransomware from being deployed.

This is why D3 has incorporated a kill chain framework—MITRE ATT&CK, specifically—into its security orchestration, automation, and response platform. D3 users can enter an event into a kill chain search in order to identify the techniques the attacker is using and correlate against related techniques from other points in the kill chain. For critical events, the search will be initiated automatically. This means that if any link in the chain is detected, analysts have a very good chance of finding the other traces of the attack, complete with indicators of compromise, people involved, and what they are likely to do next. The kill chain framework is invaluable for stopping major incidents like ransomware attacks before they succeed.

For more detail on how D3 uses the MITRE ATT&CK framework, check out our recent SOAR 2.0 whitepaper.

Thanks for joining us. We’ll see you back here next month for a new Data Breach of the Month.

Walker Banerd

Walker Banerd

Walker is the Communications Manager at D3. He leads the writing of D3's blog, as well as white papers, industry briefings, and other thought leadership. Walker's expertise is translating technical concepts into easily understandable content, with a focus on software, cybersecurity, and compliance solutions.


Comments

comments for this post are closed