Murray County Pays $200,000 to Its Ransomware Attackers to 'Resolve' the Breach

Faced with locked systems, exposed resident data, and a clock running against them, the leaders of Murray County, Georgia made the choice that ransomware crews bank on: they paid. The county has confirmed it handed attackers $200,000 to “resolve” a cyberattack that disrupted county operations — a decision its leadership defended as the least-bad option available, and one that drops Murray County into the long, uncomfortable ledger of local governments that conclude paying is cheaper than fighting.

What happened

The attack struck on May 13, 2026, and it hit where residents feel it. According to county officials, the ransomware disrupted multiple departments, including the Tax Commissioner and Tax Assessor offices, Probate Court, Juvenile Court, and several other offices that were left with limited functionality. Critically — and this is the line every county prays it can say — first responders, public safety, and 911 systems remained operational throughout the incident. The disruption hit administration and the courts, not emergency dispatch.

The county brought in what it described as “nationally recognized third-party cybersecurity and data forensic consultants” to guide its response. Under that guidance, county commissioner Noah Bishop authorized the payment, drawing the $200,000 from the county reserve — the fund set aside for unexpected events and economic downturns. Officials emphasized that the county’s 2026 budget was unaffected and that there was “minimal impact” on operations, payroll, and pending projects.

The real reason they paid: data, not decryption

The official rationale is the tell. Bishop framed the payment as a “difficult decision” made to “best serve the interests of county residents and employees” — and specifically to prevent the publication of county data and give residents “some peace of mind.” That is the language of double extortion, the model that now dominates ransomware. Modern crews don’t just encrypt your systems; they steal your data first and threaten to leak it. Even an organization with flawless backups — one that could restore every system without a decryption key — still faces the separate threat of having residents’ personal information dumped on a leak site.

That is the trap. Backups solve the encryption problem. They do nothing about the extortion problem. Once the data is out the door, the only thing the attacker is selling is a promise not to publish it — a promise from criminals, with no enforcement mechanism, that the county is paying $200,000 to believe.

Why local governments keep paying

Murray County is not an outlier; it is the rule. Counties, school districts, and small municipalities have become a preferred ransomware target precisely because they sit in a brutal squeeze: they hold troves of sensitive resident data and run essential services, yet they rarely have the security budgets, staff, or modern infrastructure to defend at the level the threat now demands. When systems go down and citizens can’t pay taxes, file court documents, or process probate, the pressure to restore service fast is immense — and the attackers know it.

The decision to pay is genuinely fraught. Law enforcement, including the FBI, discourages ransom payments on the grounds that they fund and embolden the criminal ecosystem, finance the next attack, and offer no guarantee of data deletion or recovery. Yet for an individual county weighing a $200,000 payment against weeks of outage, exposed resident data, and an uncertain recovery, the calculus that produces a “yes” is easy to understand even as it perpetuates the problem. Every payment validates the business model; every validated business model produces more attacks. Murray County’s $200,000 is, in aggregate, a vote for the next county’s ransom note.

”Aggressive measures” — and the questions that remain

Bishop said the county has taken “aggressive measures” to reduce the risk of a repeat. That is the right instinct, but the details are what matter, and several questions hang over the resolution:

• Was data actually stolen, and was it deleted? The county paid to prevent publication, but paying does not guarantee the attackers destroyed their copy. Residents whose information was in those systems should treat their data as potentially exposed regardless of the payment.
• Which group was responsible? No ransomware gang has been publicly named — a gap that matters, because the actor’s track record on honoring “delete” promises is the only signal of what the $200,000 actually bought.
• What changed? “Aggressive measures” needs to mean the fundamentals: tested offline backups, network segmentation, phishing-resistant MFA, and an incident-response plan rehearsed before the next attack, not improvised during it.

For Murray County residents, the practical guidance is the same as after any government breach where personal data may have been exposed: watch for identity theft and fraud, consider a credit freeze, and be wary of phishing that leverages county or tax-office branding. The county kept 911 running and protected its budget — real wins. But it also wrote a $200,000 check to criminals on the strength of a promise, and the only thing that promise reliably purchases is a place on the list of governments that paid.

Sources

• Local 3 News — UPDATE: Murray County pays $200k to ransomware attackers to ‘resolve’ cyber breach
• NewsChannel 9 — Murray County restores systems after ransomware attack, pays $200,000 fee