Ransomware group LockBit yesterday claimed responsibility for a cyber attack on Clay County, Indiana that disrupted operations at several county facilities. LockBit claims to have stolen 103 GB of data from the county. A proof pack posted on the group’s leak site includes several allegedly stolen PDF documents and images. The ransom deadline is set for August 4, 2024.
Clay County did not verify LockBit’s claim, but it did declare an local disaster on July 11, 2024 following a ransomware attack two days earlier. Yesterday, the county extended the state of emergency to July 25 while it tries to restore systems. According to a Facebook post by the Clay County Emergency Management Agency, the county Courthouse, Probation, and Corrections facilities were all impacted.
Because the attack forced the county’s official website offline, Clay County set up a second, temporary website to keep residents informed. As of time of writing, the following county agencies are still closed, according to the new site:
- Assessor
- Auditor
- Child support
- CASA
- Circuit Court
- Clerk of Court
- Election
- Probation
- Prosecutor’s Office
- Recorder
- Superior Court
- Surveyor
- Treasurer (scheduled to reopen July 22)
- Veterans
The Facebook announcement from the county states:
“Now, therefore, we, the Clay County Board of Commissioners, declare that a local disaster emergency exists in the county and that we hereby invoke and declare those portions of the Indiana Code which are applicable to the conditions and have caused the issuance of this proclamation, to be in full force and effect in the county for the exercise of all necessary emergency authority for protection of the lives and property of the lives and property of the people of Clay County and the restoration of the local government with a minimum of interruption.”
We do not know if any personal information was compromised in the attack, if the county did or will pay a ransom, how much the ransom demand is, or how attackers breached the county’s network. Clay County officials declined answering Comparitech’s questions.
Who is LockBit?
LockBit is one of the most prolific ransomware gangs of recent years. It’s responsible for hundreds–possibly thousands–of attacks. They include many targets in government including the City of Jacksonville Beach (US), Fulton County Government (US), Government Pensions Administration Agency (South Africa), the City of Wichita (US), Ayuntamiento de Torre Pacheco (Spain), Slovenska narodna kniznica (Slovakia National Library), Sędziszów Małopolski (Poland), Ajuntament de Calvià (Spain), and Wattle Range Council (Australia).
Comparitech researchers logged 53 confirmed attacks claimed by LockBit so far this year, 10 of which were against government organizations.
We tracked a further 379 unconfirmed ransomware attacks claimed by LockBit so far in 2024.
Experts say the group is based in Russia. Often, LockBit will operate a double-extortion model in which it demands one ransom to decrypt systems and a second ransom to delete any stolen data.
According to Darkfeed.io, LockBit has been undergoing some strategic changes following law enforcement raids and attacks on its infrastructure. Its website is now protected by CAPTCHAs to prevent service shutdown attacks, and all negotiations take place exclusively through LockBit’s platform.
Ransomware attacks on governments
Globally, Comparitech recorded 88 confirmed attacks on government organizations so far in 2024, affecting 52,390 records. In 2023, we logged 207 such attacks, affecting 896,504 records. The average ransom for both years is $1.3 million.
We tracked a further 39 unconfirmed ransomware attacks on government organizations worldwide in 2024 to date.
About Clay County, IN
Clay County is home to 26,000 people in western Indiana between Terre Haute and Bloomington, encompassing 360 square miles. The county seat is Brazil, IN. The Board of Commissioners, who declared the local disaster, serves as the county’s executive body.
Clay County officials responded to Comparitech’s request for comment with the following statement:
“Clay County is currently experiencing a disruption in some of our IT systems. Upon detecting this disruption, County officials immediately took mitigation efforts to prevent further damage and protect sensitive data, including taking certain systems offline and restricting internet access. We launched an investigation and retained Mandiant, leading cybersecurity experts, to assist our team. At this time, our investigation remains ongoing.
This incident is our top priority and we are working around the clock to safely restore systems and resume operations. We are providing status updates on our website, www.claycounty.in.gov.”