IT Security: All You Need to Know About the Atlanta Ransomware Attack

Global cybercrime is growing at an alarming rate, and small and medium-sized businesses have become a prime target of cybercriminals. Ponemon Institute’s most recent report concluded that 61% of SME’s were targets of cybercrime in 2017. That is an increase of 6% from 2016.

Ransomware is the most well-known cybercrime tactic to enter the national consciousness in the past two years. Damages cost related to ransomware in 2017 are projected to be well over $5 billion – a sum 15 times larger than in 2015.

What is Ransomware?

Ransomware is a form of malicious software, otherwise known as malware. It allows the attacker to take complete control over computer once infected. They can then lock users out from the computer, blocking all access to data and files. A demand for ransom is posted, with the promise that once the ransom is paid the user will be granted access to their computer.

To pay the ransom, users are usually provided with instructions to pay through Bitcoin. Users are given an encryption key once payment is completed. Ransomware attackers typically use phishing to exploit their targets. If the attacker fakes a trusted contact’s email address and sends the ransomware file as an email attachment, the victim is very likely to open it.

Once the malicious file is open, the malware begins encrypting files and preparing for the attack. This can happen immediately, or after days or even months – time the program uses to expand its reach through the entire network.

SamSam and the Case of the City of Atlanta Ransomware

SamSam is a privately developed, frequently updated technical ransomware variant. This particular form of malware is not easy for antivirus software to detect. Attackers let themselves in victims’ networks through an unpatched server software vulnerability. Once they have access and deploy SamSam, it begins to slowly infect all machines and network backups it can find.

The fact that SamSam works slowly makes it very difficult to detect. It also gives the attackers time to infect more devices – including USB sticks and other peripherals that people commonly use to transfer files between computers. Once the transfer device is infected, every machine it touches is infected too.

The cybercriminals behind SamSam pay close attention to the media. As soon as any news of a strain of SamSam appears, the software is updated shortly thereafter. The city of Atlanta was a target of SamSam ransomware earlier this year, leading to $2.6 million in losses.

How Did SamSam Target the City of Atlanta?

In early March, 2018, SamSam clamped down on a variety of citywide information systems in Atlanta. The attackers originally asked for a $50,000 ransom, but quickly took the payment portal offline, leaving the city’s employees on their own.

In the attack, approximately 8,000 city employees were not able to use their computers. The attack also left Atlanta residents unable to report issues, such as potholes, or pay for parking tickets online.

The city decided against paying the ransom. The FBI discourages ransomware victims from paying out ransoms, but notes that certain data and processes are too important to fail. Many municipal services fall into that category, alongside hospital IT systems managing patient records and life support systems, among many others.

Fortunately, for the city of Atlanta, the attack mostly compromised non-critical systems. City officials migrated these applications to the cloud to mitigate future risk. The city hired Ernst & Young for incident consulting towards putting a backup system in place.

During this time, the city worked with the FBI to determine the scope of the attack. The city also requested users to shut their infected computers and devices off so they would not target others on the network. Many city employees turned to using their personal mobile phones to accomplish key processes. As of August, 2018, this attack has cost the city of Atlanta up to $17 million.

Other Local Government Targets of SamSam in 2018

The Atlanta ransomware incident wasn’t the only local government institution SamSam targeted in 2018. Before the attack on the city of Atlanta, SamSam had already targeted these government institutions:

  1. The Municipality of Farmington, MA
  2. Davidson County, NC
  3. Colorado Department of Transportation

When SamSam was initially discovered in 2016, it was targeting healthcare organizations. Once hackers experienced success, they expanded towards schools and government organizations. Any institution for whom system failure is not an option is a high-value target for ransomware cybercriminals.

How to Protect Yourself from Ransomware Attacks

The Atlanta attack has every appearance of being a dedicated attack carried out by cybercriminals with a specific goal in mind. But the nature of ransomware – and its capacity for lateral movement between connected computers, servers, and networks – causes a great deal of collateral damage.

Your organization can become a victim without even being specifically targeted. The best solution is to invest in multi-layered endpoint security that works to block out malicious activity in real time. Combined security solutions use phishing protection, network traffic analysis, and two-factor authentication to prevent ransomware attacks from crippling organizations.

Don’t wait until it’s too late to set up your multi-layered endpoint security system. Contact DME and speak to an expert today!

2018-09-10T15:17:57+00:00September 11th, 2018|Blog|