GEORGETOWN, S.C. (WCBD) — Compromising information — including the social security numbers of Georgetown County employees — is circulating on the dark web following a January cyber attack.

The county suffered what they called a “major infrastructure breach” on Jan. 23, impacting all of their online systems including email and GIS.

According to Georgetown County Public Information Officer Jackie Broach, the criminals requested a large amount of cryptocurrency as ransom. The county refused to pay, opting instead to rebuild the system entirely.

“A lot of times these sorts of attempts are linked to terrorist organizations and we opted to use our backups and rebuild instead of paying the ransom and trusting they would uphold what they said they would.”

Jackie Broach

The latest update from county officials wrote in part, “At this time, the county has no indication that any personal information belonging to either employees or taxpayers was compromised during the cyber attack.”

WBTW affiliate WCBD received a tip on Monday, reporting that a well-known ransomware gang named DoppelPaymer had posted stolen data on the dark web.

“Below you can find private data of the companies which were hacked by DoppelPaymer. This companies decided to keep the leakage secret and now their time to pay is over,” reads a post on the site.

WCBD investigators reached out to Georgetown County officials, who said they were unaware of the information being circulated. They said they alerted the State Law Enforcement Division (SLED), whose SC Critical Infrastructure Cybersecurity (SC CIC) task force is investigating.

On Wednesday, Georgetown County began notifying employees of the situation.

“We have reason to be hopeful the number of employees impacted is limited, but won’t know for sure until SLED and the forensics team we are working with have finished their analysis,” she said.

Brett Callow, a threat analyst with cybersecurity firm Emisoft, said ransomware groups hack in to networks using very sophisticated emails that open a back door to the system, which is exactly what experts believe happened in Georgetown.

He said groups like DoppelPaymer usually have access to an entities system for about 56 days before they start the encryption process, and “during that time they will steal data and use it as additional leverage to extort the entity.”

If the victim refuses to pay, like Georgetown County did, Callow said that the groups will release more data to up the pressure.

In December, the FBI issued the following warning about DoppelPaymner:

“DoppelPaymer ransomware has infected a variety of industries and targets, with actors routinely demanding six and seven-figure ransoms in Bitcoin (BTC). Prior to infecting systems with ransomware, the actors’ exfiltrate data to use in extortion schemes.”

Callow said county officials did the right thing in refusing to pay ransom.

“The best option is for organizations not to apply payment; it’s the fuel that drives ransomware. If nobody pays, the attacks would stop,” he said.

Brett Callow

Broach said people identified as having had their information leaked will be notified directly.