Augusta Cyberattack Claimed By BlackByte Ransomware Group

By   Adeola Adegunwa
Writer , Informationsecuritybuzz | May 26, 2023 05:29 am PST

After days of doubt, and despite official claims of a “cyber incident,” the BlackByte ransomware gang has claimed credit for the computer attack on the City of Augusta. BlackByte, notorious for attacking the US government and financial institutions as well as the food and agriculture industries, placed Augusta on its data leak site at the end of May 25.

The post claims that the ransomware-as-a-service group has successfully taken almost 10GB of confidential information. “We have a lot of secret information that many people and the media would like to see. You were given a chance to “connect us,” but you appear to be dozing off. The BlackByte leak site promised to “help you wake up” in a post.

As an example, “here is a leak of 10GB of your data, and very soon, there will be much mare free to everyone.” There has been no attempt to verify the posted information. The Resister announced on May 26 that the Mayor of Augusta would be providing an update on the city’s cyber attack on that day.

The mayor, commissioners, and city attorney all made statements assuring the public that the IT department is working diligently to fix the problem.

After stressing the importance of the inquiry into the attack’s origin, the officials stated that they were unable to ascertain whether or not any sensitive data had been exposed.

It was later revealed that Mayor Garnett Johnson had recognized a “network outage” that occurred on Sunday, May 21, disrupting parts of the city’s computer systems, in a statement posted on the city’s website on 24 March.

After discovering that someone had hacked into the system, the IT team got to work quickly to assess the damage, restore service, and look into allegations of data theft. On May 24th, FOX54 reported on the FBI’s investigation into the cyber attack on the City of Augusta.

An Emisoft analysis on ransomware attacks in the United States in 2022 observed, “Ransomware still continued to be a huge challenge for subnational governments and adjacent entities.”

The Cyber Express has reported on a few of cases this year, including those in Dallas (Royal ransomware), Modesto (Snatch extortion group), Lakewood (ALPHV/BlackCat malware), Collegedale (BlackByte ransomware organization), and Oakland (Play ransomware).

In 2022, there were 106 confirmed cases of ransomware attacks against local or state governments. According to the research, this is a substantial increase from the 77 attacks documented in 2021.

One incident in Miller County, Arkansas, where a compromised mainframe disseminated malware to endpoints in 55 different counties, had a significant impact on this year’s numbers. The tragedy significantly altered the annual averages.

At least 27 out of 106 (or 25%) of the instances involved the theft of data. If we ignore the 55-county incident in Arkansas, though, that number rises to 53%. The report found that in 2021, data was taken in 36 out of 77 occurrences, or 47%.

Since its discovery in the summer of 2021, BlackByte ransomware has caused quite a stir in the cybersecurity world. Numerous offshoots have emerged from it over time, with the most recent appearing in recent weeks.

According to the BlackBerry Research & Intelligence Team, BlackByte operates under a Ransomware-as-a-Service (RaaS) model and uses a highly successful double extortion technique that combines data exfiltration with encryption to maximize the damage to victims.

According to the research, BlackByte uses a double extortion technique that allows threat actors to not only encrypt victims’ data but also exfiltrate it beforehand.

This two-pronged strategy gives them more influence when negotiating ransoms, as they can threaten to leak or evidently sell private data on the dark web if their demands are not satisfied.

In addition, “recent BlackByte operators have been seen using a custom exfiltration tool dubbed ‘ExByte’ to steal the victims’ data before encryption,” as reported by the researchers at the Internet Storm Center. According to the study, the stolen data is exfiltrated and then transferred to the Mega cloud storage service.

A Trend Micro threat assessment analysis observed that BlackByte, like many contemporary ransomware strains, makes use of legitimate utilities, sometimes known as living-off-the-land binaries, to blend in with normal system activities.

Researchers have noticed a rise in the ransomware group’s attacks on public sector organizations. According to the research, “up until the end of April 2022, the technology sector saw the most BlackByte detections,” but in May, detections also spiked in the government sector.

Augusta, Georgia, was the target of a cyberattack by the BlackByte ransomware group on April 30, 2021; they claim that their attacks were successful in several countries. The Trend Micro Smart Defense Network

“One way to best interpret these supposed observations is that the drastic increase stemmed from a single attack that affected several machines,” the paper concluded.

“This explanation is based on reports that, by their own claim, BlackByte operators had compromised a Peruvian government entity around the time of the increased activity, in addition to reports on ransomware groups targeting Latin America.”


Augusta, Georgia, admitted that illicit network access caused their recent IT system breakdown. The BlackByte ransomware gang listed Augusta as a victim, but the administration has not publicized the cyberattack. After Atlanta, Augusta is Georgia’s second-largest city. On Sunday, May 21, the city began “experiencing technical difficulties” that interrupted parts of its computer systems, according to its online portal. The notification says this event is unrelated to last week’s IT system failure.

We are looking into the full scope of the cyberattack’s effects and working to get our systems functioning and running as quickly as possible. Threat actors may have stolen sensitive data. Augusta’s Information Technology Department continues to work diligently to investigate the incident, to confirm its effects on our systems, and to bring back its full operations to our systems as soon as possible, the city said. Mayor Garnett Johnson denies media accusations that Augusta is being held hostage for $50 million.

Notify of
0 Expert Comments
Inline Feedbacks
View all comments

Recent Posts

Would love your thoughts, please comment.x