{ "id": "4df70f0c-4f50-41ed-bca6-d7f1e92c3203", "created_at": "2026-04-06T00:21:32.296452Z", "updated_at": "2026-04-10T13:12:03.765752Z", "deleted_at": null, "sha1_hash": "c7d57118abac028d0a7933a722555575f969d8f8", "title": "Ryuk Ransomware behind Attack on Florida Library System", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 51083, "plain_text": "Ryuk Ransomware behind Attack on Florida Library System\r\nBy February 07, 2020 •  Mark Harper,  The News-Journal\r\nPublished: 2020-02-07 · Archived: 2026-04-05 22:31:56 UTC\r\n(TNS) — The cyberattack that took down public-access computers at Volusia County, Fla., libraries last month\r\ninvolved ransomware that has elicited millions of dollars in ransom payments from governments and large\r\nbusinesses.\r\nVolusia County officials say they've referred the attack to law enforcement, but would not say which agency is\r\ninvestigating. Emails provided in response to a public-record request indicate the library computers were infected\r\nby Ryuk ransomware. The county will not say whether it has made a ransom payment.\r\n\"Because it's under investigation, we have no comment at this time,\" said Kevin Captain, a county spokesman in\r\nan emailed response to a question about ransom.\r\nCaptain confirmed the county's insurance deductible is $100,000. \"The county has no confirmation of cost at this\r\ntime but will at a later date,\" Captain said.\r\nVolusia County provided The News-Journal hundreds of pages of emails about the ransomware incident, some of\r\nit redacted because of the ongoing criminal investigation.\r\nAt 8:44 a.m. Jan. 9, Brian Whiting, director of information technology at Volusia County, wrote an email to\r\nsupport desk staff stating: \"The Volusia County Library is currently being cyber attacked by Ryuk, an attack\r\npropagated frequently via email phishing attack.\"\r\nLater that day, in another email, Whiting says the IT department has detected \"a ten-fold increase in attempted\r\nattacks over the past month or so.\"\r\nTwenty servers and about 600 computers were encrypted — essentially locked up — by the ransomware. The\r\ncounty was able to restore about 50 computers used by library staff to conduct business, such as checking books in\r\nand out, but the public-access terminals would remain down for about two weeks.\r\nOne of Volusia officials' first calls reported the incident to the Center for Internet Security's Multi-State\r\nInformation Sharing and Analysis Center (MS-ISAC) in East Greenbush, New York. The Center for Internet\r\nSecurity is a nonprofit organization that works to safeguard private and public organizations against cyber threats.\r\nAn emergency response team from MS-ISAC got involved.\r\nVolusia officials soon also contacted their London-based claims adjuster, CFC Underwriting, which became\r\ninvolved in approving expenditures on outside security firms to assist with bringing the system back. Solis\r\nSecurity in Austin, Texas, was also brought into the loop.\r\nhttps://www.govtech.com/security/Ryuk-Ransomware-behind-Attack-on-Florida-Library-System.html\r\nPage 1 of 3\n\nAnd at some point, the county notified the Department of Homeland Security about the incident, according to an\r\nemail written by Andrew Krasucki of CFC Underwriting.\r\nAn email from Joshan Heer of CFC Underwriting to county officials summarized what had been found by midday\r\nJan. 10:\r\nEncryption of the Volusia library computers began at around 1:30 a.m. on Jan. 9, and a ransomware note had been\r\nleft on a desktop by 7 that morning.\r\nFile extensions had been changed to .ryk, indicating the Ryuk ransomware. Volusia County IT staff shut down and\r\ndisconnected all the computers from the county network.\r\n\"It is believed sensitive data is not at risk due to (redacted),\" Heer wrote, adding that would have to be confirmed.\r\n\"Those who've used public-access computers on a network that's been hit by Ryuk probably don't have much to\r\nworry about,\" said Brett Callow, a threat analyst with Emsisoft, a New Zealand-based anti-malware company.\r\n\"The Ryuk operators have not been known to steal data.\"\r\nCyber defense experts say Ryuk has been used in hundreds of attacks on U.S. governments and businesses since\r\n2018, and in some cases the criminal gang of hackers responsible for the attacks have been paid handsomely.\r\nThe cost of these attacks in 2019 was estimated by Emsisoft at $7.5 billion.\r\nAt least three Florida municipalities were victimized in June 2019 alone, including:\r\nRiviera Beach, a Palm Beach County city of 35,000, which paid 65 bitcoins – or about $600,000 – in\r\nexchange for a decryption key from the attackers.\r\nLake City in northern Florida paid about $460,000 in bitcoin to recover data and computer operations.\r\nKey Biscayne – a town on a barrier island near Miami – was hit and spent money trying to restore its\r\nnetwork.\r\nWhile it is unclear whether Volusia paid a ransom, Krasucki's email of Jan. 13 indicated the county might have\r\nhad a way to restore its data.\r\n\"A system state backup stored on an external drive will be utilised to rebuild the active directory structure and the\r\ndomain controller servers,\" Krasucki wrote.\r\nCallow said Ryuk is commonly used in attacks on both the public and private sector and accounts for between\r\n15% and 25% of all ransomware incidents.\r\nSentinelOne, another cybersecurity firm, reported Ryuk ransomware \"is largely responsible for the massive\r\nincrease in ransomware payments.\" Where many cyber criminals demand $10,000 to remove the encryption on\r\ncomputer systems, Ryuk operators \"demand an average of $288,000 for the release of systems.\"\r\nYet another cyber defense firm, CrowdStrike,identifies the perpetrator of Ryukas \"Wizard Spider,\" a Russia-based\r\ncriminal group.\r\nCallow said exactly who's deploying Ryuk remains an open question.\r\nhttps://www.govtech.com/security/Ryuk-Ransomware-behind-Attack-on-Florida-Library-System.html\r\nPage 2 of 3\n\n\"There's speculation that the group behind Ryuk – and it does appear to be a single group – has Russian ties, but it\r\nis just speculation. Attribution is always extremely hard,\" he wrote in an emailed response to questions.\r\n\"For example, some ransomware contains language exclusions and will not encrypt files if the operating system\r\nuses one of a number of specified languages – (post-Soviet) countries, Iran, etc.,\" he wrote. \"That could indicate\r\norigin – groups not wanting to poop in their own backyards – or it could be a false flag designed to misdirect law\r\nenforcement.\"\r\nUnlike other ransomware, which contain flaws in the encryption allowing security companies to create tools to\r\nrecover data without needing to pay ransom, Ryuk has no such flaws, Callow said.\r\n\"The encryption is perfectly implemented and, consequently, the only way to recover data is to restore it from\r\nbackups (assuming they were not deleted/encrypted during the attacks) or to pay the ransom,\" Callow said.\r\n©2020 The News-Journal, Daytona Beach, Fla. Distributed by Tribune Content Agency, LLC.\r\nSource: https://www.govtech.com/security/Ryuk-Ransomware-behind-Attack-on-Florida-Library-System.html\r\nhttps://www.govtech.com/security/Ryuk-Ransomware-behind-Attack-on-Florida-Library-System.html\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.govtech.com/security/Ryuk-Ransomware-behind-Attack-on-Florida-Library-System.html" ], "report_names": [ "Ryuk-Ransomware-behind-Attack-on-Florida-Library-System.html" ], "threat_actors": [ { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434892, "ts_updated_at": 1775826723, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c7d57118abac028d0a7933a722555575f969d8f8.pdf", "text": "https://archive.orkl.eu/c7d57118abac028d0a7933a722555575f969d8f8.txt", "img": "https://archive.orkl.eu/c7d57118abac028d0a7933a722555575f969d8f8.jpg" } }