Ransomware wreaks havoc in the South, generates $1 million for hackers

Cities across the Southern states have been crippled by ransomware in recent weeks. In many cases, city leaders have had no choice but to give in to the attackers’ demands.

In this article, we’re going to take a look at how these attacks work and the damage they’ve caused local municipalities.

Riviera Beach ransomware attack

In May 2019, the computer systems of Riviera Beach, Florida, ground to a halt after a police department employee opened an infected email attachment. The ransomware knocked the city’s email and phone systems offline and disabled utility payment services.

Eventually, the city gave in to the hackers’ demands and voted to pay the criminals nearly $600,000 to regain access to their data. While we can’t say for certain which ransomware was to blame for this attack, experts believe that it is likely to have been Ryuk, a ransomware strain that was first seen in August 2018.

Lake City ransomware attack

A couple of weeks later, another Florida city found itself in a similar predicament. On June 10, a Lake City government employee unwittingly opened a malicious email, resulting in widespread disruption across government communications and online payment services. Again, city leaders agreed to pay the hackers the ransom – this time, a cool $460,000.

Key Biscayne ransomware attack

Shortly after the Lake City incident, yet another Florida town, Key Biscayne, was hit by a cyberattack. Officials said their systems were back up and operational within a few days but declined to comment on whether a ransom payment was involved.

Collierville ransomware attack

On July 18, the town of Collierville, Tennessee, was hit by Ryuk. The ransomware primarily affected town employees, with many town services being forced to resort to offline systems for several days. Following the FBI’s recommendations, the town did not communicate or negotiate with the hackers. A spokesperson said that it may take weeks to get the systems back to normal.

Louisiana ransomware attack

Toward the end of July, ransomware brought down the IT networks at three Louisiana school districts – Sabine, Morehouse, and Ouachita. In response, Louisiana Governor John Bel Edwards declared a state of emergency, which means state resources will be made available to help resolve the crisis and reduce the risk of further data loss.

Georgia Department of Public Safety ransomware attack

On July 26, a ransomware infection at the Georgia Department of Public Safety (DPS) affected multiple police departments, including state patrol, capitol police and the Georgia Motor Carrier Compliance Division. The infection caused police car laptops to lose connectivity to DPS servers, leaving police officers unable to access crucial information. Officers have resorted to using older channels of communication while the systems are being restored.

According to David Allen, chief information security officer at DPS, payment is not an option.

“It’s not part of our policy to pay ransom,” says Allen, as quoted by GovTech. “In all honesty, I don’t even typically look at the files they leave behind on how to contact them. I don’t agree that it’s more cost effective to pay [ransom] because even if you pay it and get some of your system decrypted, it doesn’t always happen in a clean fashion.”

Texas ransomware attacks 

It’s very rare for ransomware groups to attack multiple municipalities simultaneously, but that’s exactly what happened in mid-August when cybercriminals launched a coordinated campaign in Texas.

Twenty-two towns and cities across Texas were affected in the attack, including Borger and Keene; the remaining entities are yet to have been named. Some sources have reported that it was once again Ryuk that was used in the attacks, while others have suggested it was a strain of ransomware known as Sodinokibi.  

How do cities get infected with ransomware?

Ransomware infection methods can vary between families and campaigns. A ransomware strain known as Ryuk is believed to be behind many of the recent attacks in the South.

Analysis has revealed that Ryuk has been used in combination with other types of malware to create what some are some are describing as a Triple Threat, a sophisticated attack that takes a three-pronged approach to infection and execution.

Here’s a quick overview of what a typical campaign might look like.

1. Emotet

First, the cybercriminals distribute spam email to large enterprises. When the malicious email attachment is opened by an unsuspecting employee, it uses PowerShell to install Emotet. Emotet has traditionally been used to steal banking credentials, but its modular architecture means it can also be used as a dropper, a type of malware that helps install other malware.

Emotet has recently resurfaced after laying dormant since early June. Experts believe that the operators were probably carrying out maintenance on the servers during this time.

2. TrickBot

Next, Emotet downloads and executes the TrickBot trojan from a pre-configured remote malicious host. Similar to Emotet, TrickBot is a modular trojan that is usually used to steal banking credentials, but it is also capable of executing other tasks, such as downloading/installing other malware. In this case, it is used to deploy Ryuk

TrickBot commonly spreads by exploiting the EternalBlue vulnerability, which was allegedly originally developed by the U.S. National Security Agency, and has since been used in many major ransomware attacks, including WannaCry and Petya. The Florida attacks, however, were caused by user error and did not involve EternalBlue exploitation.


After TrickBot has established itself and the attackers have verified that the infected machine is an attractive target, it deploys the Ryuk ransomware. Once Ryuk has infected the machine, it begins to encrypt files.

Who pays for the ransom?

While some public entities have strict no-payment policies, others will consider paying the hackers as a last resort option. In some cases, organizations do not have a robust recovery strategy in place, which means restoring the system is impossible or too time-consuming. In other situations, paying the ransom may simply be more cost-effective than the cost of system downtime.

In the Riviera Beach attack, the bulk of the ransom payment was covered by the town’s cyber insurance policy, which meant the city “only” had to pay a $25,000 deductible. It was a similar story at Lake City, where the ransom was paid by insurance after the city paid a $10,000 deductible. Unfortunately, it’s likely that taxpayers will absorb the costs of the deductibles when the time comes for the cities to renew their insurance policies.

Emsisoft researchers have been able to successfully decrypt Ryuk in about 3-5 percent of cases.

Why are the Southern states being heavily targeted?

The Southern states have seen more than their fair share of ransomware attacks in recent weeks. The main force driving this trend is the fact that cybercriminals know that some municipalities in the Southern states are willing to pay the ransom.

Like any other business, criminal enterprises adopt strategies that have been proven to work. The large payments made by Riviera Beach and Lake City may be encouraging similar attacks on other municipalities in the region.

However, it is important to remember that ransomware attacks are not confined to any particular region. Every organization, regardless of its location, size or income, should consider itself a potential ransomware target.

Emsisoft Endpoint Protection: Award-Winning Security Made Simple

Experience effortless next-gen technology. Start Free Trial

These municipalities in the South are the latest victims in a long string of ransomware attacks targeting local U.S. public entities. Check out this blog post for more insight into this trend.



Writer. A picture is worth a thousand words but unfortunately I can't draw. The world of IT security has always fascinated me and I love playing a small role in helping the good guys combat malware.

What to read next