Nearly a week after it became the target of one of the largest ransomwareattacks to date, the City of Atlanta has made progress toward recovery, but it is still far from business as usual. Hackers encrypted many of the citygovernment’s vital data and computer systems.
The ransomware attack, which Mayor Keisha Lance Bottoms characterized as “a hostage situation,” forced the city to shut down municipal courts andeven prevented residents from paying bills online. The city has beenunable to issue warrants, and in many cases city employees have had tofill out forms and reports by hand.
The hackers demanded that officials pay a ransom of US$51,000 to be sent to a bitcoin wallet.
Threat researchers from Dell-ownedSecureworks, which is based in Atlanta, have been working to help the city recover from the attack.
The security firm identified the assailants as the SamSam hacking group, The New York Times reported on Thursday. Thatorganization has been known for similar ransomware attacks; ittypically makes ransom demands of $50,000 or more, usuallypayable only with bitcoin.
Secureworks has been working with the city’s incident response team as well as the FBI, the Department of Homeland Security and the U.S. Secret Service. In addition, a number of independent experts, including researchers from Georgia Tech, have been called in to determine how the attack occurred and help strategize to prevent another such attack.
As of Thursday, the city’s Department of Information Management, whichfirst discovered the attack on March 21, said that it had found noevidence that customer or employee data was compromised. It nevertheless encouraged everyone to take precautionary measures,including the monitoring of personal accounts and protecting personalinformation.
The attack on Atlanta remains one of the largest ransomware attacks to date. It actually is much bigger than a cyberthreat, Mayor Bottoms said earlier this week. It’s an attack on the government and its citizens.
“Ransomware attacks are a reality for many businesses, and unfortunately, this instance is likely not the last,” said Sam Elliott, director of security product management at Bomgar.
“Ransomware is one of the easiest ways to monetize a successful breachof security, and as such it continues to be favored by many hackers,”noted Eytan Segal, principal product manager at Check Point.
“This recent breach of the Atlanta local government is a good exampleof how devastating and frustrating these attacks can be when theysucceed,” he told TechNewsWorld.
However, the city’s quick response may have limited the potential for greater damage.
“From a response standpoint, the city is doing the best that it can,”said Raj Rajamani, vice president of product management at SentinelOne.
“By immediately cutting employees off from their devices, they mayhave helped minimize the spread of the ransomware,” he toldTechNewsWorld.
Atlanta’s data reportedly has been held for ransom using AES 256-bit encryption, which is one of the most secure encryption methods. It is used in many modern algorithms.
There is no guarantee that the SamSam threat actors actually wouldrelease the files and decrypt the data if the ransom were paid. However, these particular hackers have released systems targeted in past attacks.
Generally, those holding files for ransom do release them, as failure to do so would make future threats meaningless and no one would pay.
Still, the city has given no indication that it will bow to the ransomwaredemands. Atlanta could be in the fortunate position of having the option to refuse them.
The city’s IT department has done its due diligence in backing up critical data, and many of Atlanta’s critical services have been moved to the cloud. In addition, the city’s networks have been segmented from other systems. As a result, public safety systems and the Atlanta Hartsfield Airport have not been affected by this attack.
Recovery will be slow if the ransom is not paid but not impossible.
“Subtle details in your backup strategy can make all the difference inthe world when you would try to recover after a ransomware attack,”cautioned Jim Purtilo, associate professor in the computer sciencedepartment at the University of Maryland.
“The balancing act is between integrity and availability of your data,” he told TechNewsWorld.
On one hand, you would want very strong protections between your live system and the repository for its backup, Purtilo pointed out. You wouldn’t want a similar exploit to lock up the recovery data, but off-site storage is a common way to ensure that systems are isolated.
“Yet on the other hand, the more isolated are our data, the more isthe challenge for keeping backups updated,” he added. “Aftercleaning a production system of malware, you might recover most datafrom off site, but it would still be pretty disruptive to lose datathat changed following some checkpoint.”
Preventing Future Attacks
Atlanta’s attack should be a warning to other cities and organizations thatefforts need to be made to harden systems.
“Cover all your IT assets. IT environments are complex, very complex,and they span desktop and laptops, mobile devices, servers and thecloud,” said Check Point’s Segal.
“Companies should seek to adopt a unified solution that is architectedto cover all these elements, includes all layers of advancedprotections, and focuses on preventing attacks rather than detectingthem,” he recommended.
“Maintaining a regular patching routine closes potential holes in anorganizations’ infrastructure, keeping attackers at bay,” Bomgar’sElliott told TechNewsWorld.
“Infrastructure teams should also better segment their IT systems toprevent future malware from spreading laterally through connectednetworks, to prevent potential for extensive damage,” he added.
The Human Element
Proactive protection also should include employee training, as theseattacks often involve social engineering or human error.
“Typically, SamSam ransomware victims are infected by clicking on amalicious link, opening an email attachment, or through malvertising,”noted SentinelOne’s Rajamani.
The SentinelOne Global Ransomware Report found than 58 percent ofransomware infections in the public sector were caused by employeecarelessness, he pointed out.
“Every city and government organization should assume they’re atarget,” warned Rajamani. “Attacks like the one in Atlanta are aboutmore than just criminal payouts — they’re paralyzing attacks that canbring a city to its knees, as we’re seeing.”