It was all over the major press yesterday. The Mayor of Atlanta, Georgia has confirmed that several local government systems are currently down due to a ransomware infection and said the infection took root at around 5:40 AM, local time.
Mayor Keisha Lance Bottoms expects city departments to open tomorrow, but operate without IT support. Asked if the city plans to pay the ransom note, Mayor Bottoms said "We can't speak to that right now. We will be looking for guidance from specifically our federal partners." Atlanta is not alone. Feb 13th Savanna, Georgia was hit with ransomware too.
Not all IT infrastructure were affected because the city was in the process of moving some systems to cloud services, and those were not affected.
According to 11Alive, a local TV station, the infection was caused by the SamSam ransomware, a strain that's been very active at the start of this year, and had previously also infected the Colorado Department of Transportation. SamSam is also notorious for deleting Veeam backups, and maybe yours too.
A screenshot sent to 11Alive from a city employee and analyzed by technical expert and Kennesaw State University professor Andrew Green, shows a bitcoin demand of $6,800 per unit, or $51,000 to unlock the entire system.
Richard Cox, the City of Atlanta's new Chief Operations Officer, who is in his first week on the job (hell of a way to start your new gig) , said the infection affected several internal and customer-facing applications, such as the online systems that residents used to pay city bills or access court documents.
Cox and his team are working with the FBI and DHS agents, but also with incident response teams from Cisco and Microsoft. Investigators are still assessing the damage and validating the infection's impact on city systems.
UPDATE 3/24/2018 - Atlanta counts on backups
“SamSam is a ransomware controlled by a single threat group,” explained Keith Jarvis, a researcher with Secureworks Counter Threat Unit. “It’s unlike other ransomware that’s out there.” What makes SamSam different is in the way the attacks develop.
So how did this happen? According to Sam Elliott, director of security product management with remote security services provider Bomgar in Atlanta, said it’s apparent that ‘there’s some pretty bad hygiene of open ports there,” he said. “What probably caused this is a port that should not have been open.”
Eugene Weiss, head of content security intelligence engineering for Barracuda Networks, explained what happens next. The SamSam malware looks for certain critical files. It encrypts them with AES 256-bit encryption, and asks for a Bitcoin to be sent to a Bitcoin wallet.”
Once the city recovers from the ransomware attack, the next step is what to do to keep it from happening again. Here’s what Jarvis recommends:
- Turn off RDP. It should never be used on any public facing port and its use should be discouraged anywhere else on a network.
- Turn on two-factor authentication. Brute force credential attacks won’t work if two-factor authentication is in place.
- Perform regular audits of your external network for open remote access ports. You can use the Shodan browser for this.
- Have robust credentials. Weak credentials make a break-in easier and faster.
- Use whitelisting. That means keep a list of the sites on the internet where users are allowed to go, and a list of what sites can have access to your network.
Weiss adds a couple more suggestions:
- Never allow Windows shares on the public network.
- Patch religiously. While you need to confirm that a patch will work, it’s critical to apply it promptly. The practice of delaying patches for months or forever is certain to cause problems.
- Finally, train your employees to recognize threats such as phishing emails. “It’s time that anyone who touches a computer ought to be trained about social engineering,” he said.
Following security best practices will help most organizations avoid ransomware, but those practices have to be more than just lip service.
UPDATE 3/25/2018 - Airport shuts down Wi-Fi and Flight Information "out of an abundance of caution"
Acting Chief Information Officer Daphne Rackley said the city was still in “deep investigation and incident management mode” and that scans were still being run to determine the full extent of the attack. Many of the city’s systems were taken offline as a precaution, and Rackley said she couldn’t give a definitive timeline for when she expected things to return to normal.
The airport shut down its Wi-Fi network and the systems that provide flight information and security checkpoint wait times on its website “out of an abundance of caution,” spokesman Reese McCranie said in a phone interview Friday. In other words, even if people were not from Atlanta, they could have felt the sting of the attack as Hartsfield-Jackson Atlanta International Airport was noted as being the “world’s busiest airport.”
Atlanta officials still 'working around the clock' to resolve ransomware attack
WXIA reported that SamSam ransomware was used to target Atlanta. As was reported by CSO’s Steve Ragan, the group behind SamSam is believed to have made almost $850,000 since December 2017. In Atlanta’s case, Ragan wrote, “The city has RDP exposed to the public, as well as VPN gateways, FTP servers, and IIS installations. Most of them have SMBv1 enabled, making the task of spreading the ransomware easier.” WannaCry anyone?
UPDATE 3/26/2018 - "Public deserves to know more about how Atlanta is battling cyberattack", expert says
It’s day four since the ransomware attack on the city of Atlanta and many of its computer systems are still shut down. The cyber criminals are demanding $51,000 to unlock the system, and one security expert believes the public deserves more answers. "It’s tough to say where we are because the city of Atlanta is not being very forthcoming," said Andy Green, a lecturer of information and security at Kennesaw State University, adding the city’s silence is very concerning.
"But if they're not sure how the bad actors got into the network then you run the real risk of paying and then turning right around in a few days and being subjected to the same type of attack again," Green said.
That's actually a real concern, and has happened before. Rick Wilson tweeted a humorous observation—not necessarily referring to Atlanta—but in general when you get hit with an attack like this: (read the comments)
- Don't let lawyers run crisis PR.
- Tell the truth, tell it all, tell it fast.
- Put senior leaders up front, take responsibility, face the issue.
- Don't let the lawyers run crisis PR.
- Describe a fix, and DO IT.
- Finally, don't let the lawyers run crisis PR.
UPDATE 3/27/2018 - "Atlanta Still Struggling to Recover from Ransomware Days After Attack"
As of this writing, Atlanta is still in the process of recovering from the attack. It has learned the identity of the attackers and determined that they infiltrated the city’s systems remotely. Mayor Keisha Lance Bottoms didn’t downplay the severity of ongoing ransomware infection in a news conference. As quoted by Reuters:
"This is much bigger than a ransomware attack, this really is an attack on our government. We are dealing with a (cyber) hostage situation".
UPDATE 3/28/2018 - "City Of Atlanta Turns Computers On Nearly A Week After Cyberattack"
City workers in Atlanta are turning their computers back on for the first time in nearly a week. That’s after a cyberattack on the government’s computer systems brought much of the city’s online services to a halt Thursday.
But things are not quite back to normal yet. Residents seem to not be able to pay their water bill or their parking tickets online yet. Police and other employees are having to write out some reports by hand. Travelers at the world’s busiest airport still can not use the free Wi-Fi. And Municipal Court proceedings for people who are not in police custody are canceled until computer systems are functioning properly again.
Following the attack, Atlanta Mayor Keisha Lance Bottoms said cyber security has become a top priority for her administration. Excellent plan, since ransomware usually comes in through email and social engineering.
Allan Liska, a senior intelligence analyst at Recorded Future was quoted in the NY Times saying: "he believed that SamSam gains access to its victims’ systems and then waits for weeks before encrypting the victim’s data. That delay, Mr. Liska said, makes it harder for responders to figure out how the group was able to break in — and easier for SamSam’s hackers to strike twice."
This happened at the Colorado Department of Transportation who were able to restore their systems without paying SamSam any ransom, But a week later, the hackers struck the department again. I recommend ATL really does a thorough job getting and keeping this gang of criminal hackers out, we do not want to see them being hit twice!
3/29/2018 - DO NOT PUT SCREENSHOTS OF THE RANSOM DEMAND ON THE INTERNET
Because the bad guys will shut down that page and you have no opportunity to pay or communicate in case your backups fail. See story at the NPR website.