Georgia’s state agencies nearly recovered from last year’s cyberattack

Updated Jan. 28

About six months later and $750,000 poorer, Georgia is nearly back to normal after online attacks that blocked law enforcement officers and the public from accessing electronic records used to settle legal questions.

But the money went to pay cyberattack insurance deductibles, not ransoms.

Over the last few months, all Georgia State Patrol troopers have been able to put away the pens and paper they relied on while the department recovered and return to computers now scrubbed clean of malicious code. The agency also reactivated its main server in stages after the July 26 attack.

The agency’s open records office is still working through a backlog of thousands of electronic requests they received and could not fill while roughly a decade of reports were inaccessible.

Last year, more than 40,000 open record requests arrived at the Georgia Department of Public Safety, which includes the state patrol, according to Lt. Stephanie Stallings, an agency spokeswoman. 

That includes subpoenas, members of the public seeking crash reports, potential employers asking for human resources records and other requestors. She said it isn’t clear when they will catch up on the backlog of more than 5,000 records requests still outstanding.

In the meantime, she said, people who need documents like crash reports can visit the patrol post where the officer who filed the reports  works.

The state patrol got notice of the July 26 attack when some agency computers unexpectedly displayed a screen with the word “Ryuk” and some email addresses.

Ryuk is the name of a piece of malware that sneaks onto computers and presents the owner with locked files and a ransom note.

“We as the Department of Public Safety don’t contact those persons,” Stallings said. Instead, the state patrol contacted criminal investigators at the FBI.

Stallings said the state patrol never got any notification of what the ransom was, and the agency didn’t pay any ransom.

“That was never an option,” Stallings said.

Starting on July 26, about three or three and a half days of citations issued statewide were permanently lost in the attack. The state patrol doesn’t know how many crash reports from that period it lost, since that depends on when the trooper transmitted them from the field.  Stallings said troopers have been able to recreate some crash reports based on field notes.

The FBI did not provide information about Georgia cases, citing U.S. Department of Justice rules that generally prohibit talking about anything that might be under investigation.

“I can tell you that ransomware cases are somewhat common and difficult to address from a law enforcement perspective,” said Beth Anne Steele in an email from the bureau’s Portland, Oregon office. “A best offense is a strong defense.”

A July 5 attack on the Georgia Emergency Management Agency was isolated before it spread, recovery was covered by insurance, and all services are running again

Georgia’s Administrative Office of the Courts has recovered most of what it can after a June 28 cyberattack. About 70 different kinds of courts across the state lost some access to some software or data due to the attack. Bruce Shaw, a communications specialist at the agency that provides support to municipal, magistrate and probate courts  said that no court records were lost in the attack. But some staffers did permanently lose files, like memos or photos that were stored on servers.

“People are taking positive steps to put themselves in a better posture and doing things like paying attention to their backups and how they’re secured,” David Allen said.

Clarification: This story has been updated to reflect that lower level courts that use the state’s Administrative of the Courts case management system lost data in the cyberattack.