The Fulton County Attack and the Dual Nature of Ransomware Operations

Date:

February 15, 2024

World map

Officials in Fulton County, Georgia, disclosed that “financially motivated” threat actors associated with the infamous LockBit ransomware gang are behind a ransomware attack that disrupted critical county services for several weeks.

“Early today, we became aware that cybercriminals claiming responsibility for this incident listed Fulton County as a victim on their dark website and posted screen shots of information claimed to have been accessed,” CNN reports county officials as stating.

Despite the fact that voting in an upcoming election in Fulton County begins next week, county officials insist that there is “no evidence or reason to believe that this incident is related to the election process or other current events.”

Takeaway: An event of this nature is a good example of the potential dual nature of many of today's ransomware attacks: they make money for the attackers while also furthering the geopolitical interests of adversarial nations.

The key assessment here is “financially motivated” - at this point, we can assume that the intent of the attackers was to cause disruptions that would compel the county to pay a ransom demand, as that is the attacker’s key objective, to get paid.

Disruptions to critical systems puts pressure on the victim to pay. So, the fact that Fulton County is preparing for voting to start next week could be a factor in the threat actor’s targeting decision – as well as the fact that Fulton County is in the news a lot recently, so that makes them a high-profile target.

While we can assess at this point that the attackers could possibly have intended to disrupt election systems along with other critical county functions, the motivation would most likely have been to position themselves for a bigger payout as opposed to trying to influence the election outcomes.

For the most part, ransomware operators are out there trying to cause as much pain, publicity and frustration as possible because it translates into illicit dollars in their pockets.

That said, we also cannot discount the dual nature of a good portion of today’s ransomware attacks, where the attackers may be serving themselves from a financial perspective but are also furthering a larger geopolitical strategy.

The fact that ransomware attacks appear on the surface to merely be cybercriminal activity provides a convenient level of plausible deniability when those attacks also serve the larger geopolitical goals of rogue regimes like Russia, Iran and North Korea.

We know that a good portion of ransomware operators also participate in nation-state sponsored attacks, much like someone might work as a cop during the day but then applies those skills while moonlighting as a security guard at night.

There is also a good deal of evidence that nation-states are likely influencing or directly controlling the targets many ransomware operators select (or do not select) because they serve geopolitical aspirations beyond personal enrichment.  

So, in this context, we can assess that while the attack on Fulton County was likely financially motivated, the fact that the county has an election next week and that the county is in the news a lot with regard to litigation related to the 2020 elections means the attack could serve a dual purpose of also furthering Russian intentions to continue its practice of trying to interfere with the election process in the US in general.

This is why it is imperative that the US government and allied nations who are the targets of these attacks need to differentiate at least some of the attacks and classify them as terrorist acts – specifically those attacks that target healthcare and other critical infrastructure functions like utilities and elections.

Designating these attacks as terrorism will allow a whole new set of options as far as our collective response. It we treat these like criminal law enforcement issues, there is simply an investigation possibly followed by indictments.

But if we call these attacks what they are – terrorist attacks meant to instill fear and influence geopolitical issues – then we unlock a whole host of options for both offensive cyber and even traditional kinetic military responses.

Ransomware attacks against critical infrastructure are a form of terrorism in and of themselves, and the fact that may of the attacks are so closely related to the geopolitical interests of adversarial nations and are providing plausible deniability on the part of nation-state actors means we can no longer address these issues as a criminal matter.

It’s time to call these attacks what they are: state-sponsored terrorism.

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.