A Ransomware Attack on a Georgia County Has Affected Voting Systems

Ransomware and election security have been the two great themes of the 2020 cybersecurity landscape.

So it may not come as a surprise that those topics have finally intersected.

With the U.S. presidential election less than two weeks away, a county in northern Georgia that has been hit by ransomware might become a litmus test for how prepared local governments are when it comes to defending voting systems. With a population of about 200,000 people, Hall County reported on October 7 that a ransomware attack had disrupted “critical systems.” The Gainesville Times reported on Thursday that those systems included a database that the county uses to verify voter signatures, as well as a voting precinct map on the county’s website.

County officials could not be immediately reached for comment Thursday evening, but a registration coordinator told the Gainesville Times that there were ways to manually verify signatures through hard copies of voter registration cards, though the process can be time consuming.

Early signs suggest that the attack wasn’t a state-sponsored effort to block voting. Allan Liska, a ransomware specialist at Recorded Future who has been researching election security threats in recent months, said the attack used DoppelPaymer ransomware, which has been seen in COVID-19 scams and so-called “big game hunting” operations that target specific organizations and hold their data hostage for large sums of cryptocurrency.

“It shows that it is not just nation state actors that can gain access to election infrastructure. Cybercriminals have gotten a lot more sophisticated and capable,” said Liska. “The good news is that this does not seem to have impacted the ability to vote. However, if there are more attacks like this we—the collective we—may not be so lucky.”

Ransomware attacks have exploded in recent years in both volume and the amount demanded. Cyber insurance providers routinely see seven-figure demands, with ransoms occasionally exceeding $10 million, said Kristen Dauphinais, Head of U.S. Cyber and Tech at British insurance firm Beazley.

“Ransomware operators are much more skilled than they used to be, and have the ability to ask for much more money,” she said.

In recent months, these operators have also gone after municipalities, hospitals, and schools, raising concerns over whether voting systems could be vulnerable to such attacks. Even if voting isn’t completely halted in these attacks, they could create an impression that election results cannot be trusted, Liska said.

And federal officials have taken notice. Reuters reported more than a year ago that intelligence officials feared ransomware attacks on election infrastructure, and that the government was launching a program to prepare for such a scenario by providing state election officials with educational materials, remote computer penetration testing, and vulnerability scans. Last month, The New York Times reported that federal investigators have not had much success stopping ransomware attacks on U.S. government entities, and did not have a clear picture on whether the attacks are launched by criminal groups or nation states masquerading as ransomware operators.

And it may be too late to stop them.

“[With] less than two weeks to November 3, there is a good chance ransomware actors are already in many networks or the attacks have happened and just not been reported,” Liska said.