A Department of Public Safety employee powered on a computer July 26 at the Atlanta headquarters and found a strange message.
It was a blank screen with the letters RYUK in the center and email addresses in the top corner.
The employee immediately called IT.
“When they saw it, they recognized it as something that could potentially be some sort of malware, definitely a problem, a cyber issue,” DPS Lt. Stephanie Stallings said.
As a preemptive measure, the server was shut down to isolate the issue, which was later determined to be a ransomware attack.
Ransomware is malicious software that encrypts writeable data, and only the attacking party knows the decryption key. The attacker demands payment to unlock the files.
For the past three months, employees under the Department of Public Safety — which includes Georgia State Patrol, the Motor Carrier Compliance Division and Capitol Police — have had parts of their in-vehicle laptops rendered useless thanks to that attack.
Citations and crash and incident reports are typically uploaded from those laptops to the patrol post, but none of that is possible with the server down. So, it’s back to pen and paper.
That has caused some delays in the processing of citations. And with the server shut down, Stallings estimated a delay in fulfilling more than 1,000 pending open records requests.
Hall County Solicitor General Stephanie Woodard said it usually takes about 10 days for a state patrol citation to be ready in her office. With the return to paper records, that process takes closer to a month.
“I’ve had people call to say, ‘Can I negotiate something on my ticket?’ and it’s four weeks before the paper copy processes all the way from DPS to the clerk that I can pull it and look at it and do something about it,” Woodard said.
Woodard said she can recall roughly 10 to 12 cases similar to that scenario, though the vast majority of people facing citations pay online or appear on their court date.
“For the folks that have been trying to handle it proactively, they haven’t been penalized. … They just can’t take care of it, and we live in a time when people expect to be able to do any business they want to do very, very quickly,” she said.
Woodard said the typical electronic process allowed the trooper’s laptop to upload automatically to the patrol post, which would then transmit the citation information to the clerk’s office.
Handwritten tickets take more time to complete, and then the trooper must physically deliver the citations to the clerk’s office to be logged.
Stallings said the last full server backup was performed July 23.
“It’s estimated between July 23 and 26, before the servers were shut down, that there is some potential information that was lost,” Stallings said.
Woodard said she has not encountered any cases of missing data being unrecoverable.
The path back online
Stallings said DPS started trying last week to bring parts of Troop D in southwest Atlanta back online, which includes posts in Griffin, Thomaston, Newnan and the city of Forsyth.
“We’re certainly a whole lot closer to being back online. There is still not a date for the full statewide to be back online, but it is getting there faster every day,” she said.
Some of the biggest filers of open records requests to DPS include lawyers, prosecutors, people involved in crashes and insurance companies.
“Once everything is back online, that’s going to assist us in the open records division to be able to fill a lot of those open records requests that have been pending for a while, because we’ll be able to then search our server for those historical documents,” said Stallings, referring to any document created before the ransomware attack.
Gainesville attorney Jeff Talley said he hasn’t experienced any delays with his cases related to the DPS ransomware attack.
“From the defense perspective, if you had a case and something was going on with them, you’d file a motion citing that. I can’t believe or couldn’t fathom a prosecutor or prosecuting jurisdiction wouldn’t grant you a continuance until it’s resolved, because that would impact a client’s ability to present a defense,” Talley said.
Stallings said the FBI is handling the criminal investigation into who is responsible for the ransomware attack.
“The Department of Public Safety wouldn’t contact those people directly. Even if they had given a monetary value that says, ‘Hey, pay us X amount of dollars and we will unencrypt your information,’ that’s information we don’t know because the Commissioner of the Department of Public Safety Col. Mark McDonough said that we would not pay a ransom, and we have not,” Stallings said.
An insurance policy was purchased in case of a cyberattack, with DPS and the Georgia Technology Authority splitting a $250,000 deductible.