LockBit Claims Responsibility For Pwning Fulton County
The LockBit ransomware gang is claiming responsibility for the January Fulton County Georgia cyber-attack and are threatening to publish “confidential” documents if the ransom is not paid by this Friday.
You might recall that I first brought this story to you on February 1st. But here’s a quick recap.
Initial reports by the county on January 29th acknowledged a “cyber security incident”, confirming widespread system outages, including phone, court and tax systems, but gave no further details.
It wasn’t until yesterday, almost three weeks later and only after LockBit claimed the attack, that officials acknowledged the outage was in fact a ransom attack, but still offered no details on the attack itself. Many of the county’s systems are still down and the investigation is on-going.
Services remaining down include:
- 2/3rd of phone services
- Court systems
- Property tax systems
- Jail IT systems
- Water billing
LockBit has given a deadline of Friday 2/16 for the County to pay the ransom. Fulton county is Georgia’s largest county and home to the state’s capital, Atlanta.
Steve Hahn, Executive VP, BullWall had these thoughts:
“What we are seeing here is part of a larger trend. Cities all across the US are under attack by Russian threat actors. Oakland declared a state of emergency when nearly all services, all the way to their city hall, were shut down. In that instance the threat actor stole and released data as well. Hundreds of US cities have been the victim of these attacks.
“In the past these Russian threat actors were strictly financially motivated. Since the war in Ukraine the attacks have become increasingly targeted and not just getting the Ransom but also hurting us financially. Hitting supply chains that could impact inflation, hitting hospitals and cities providing life saving services to maximize the human impact. The other new trend is the threat actor is typically getting command and control access prior to the attack. This means they have admin level rights, they steal data, then set up their ransomware attack in a way that no preventative tool can stop it.
“We have to recognize that we are truly under attack and if you’re in their crosshairs it’s not “if” but “when” you’ll be hit with Ransomware. We have to shift focus from simply trying to prevent these attacks to also how to contain them quickly to minimize the effect. Containment and recovery are key strategies these cities need to employ so their services aren’t impacted. We need MFA to every server, every session. They need to work towards a zero-trust environment and, most importantly, they need containment and recovery strategies in place. In the same way we “war game” physical attacks, knowing you can’t pin your hopes on “preventing” them, we need to take that same approach to cyber-attacks and assume it’s not “if” but “when” and how do we respond. Cities simply aren’t doing that today.”
Emily Phelps, VP, Cyware follows with this comment:
“Effective cybersecurity is challenging for even the most well-resourced organizations. Local governments have additional resourcing challenges that further complicate protecting the critical data of their citizens.
“Organizations, across sectors, must become more proactive in their cyber defense strategies. This starts with advanced threat intelligence that can be automatically operationalized across a security team. Context-rich threat intelligence enables security teams to prioritize critical threats and take rapid action. Intelligence sharing organizations (ISACs) are also an important component that can provide relevant intelligence to industry organizations to improve effectiveness and efficiency.”
Given that I started to write about this at the start of this month and the incident is still ongoing shows how devastating and disruptive cyberattacks can be. Which is why prevention and rapid detection of intrusions has to be the way to go to stop from being the next headline.
February 20, 2024 at 5:26 pm
[…] wish Welch luck in getting up and running again. As we’ve seen in recent cyberattacks, like this one, the can be devastating and long lasting. Neither of which is […]