Ransomware Attack in Atlanta

There’s nothing worse than serving up a great idea to a hacker on how to make money, and that’s exactly what’s happening in Atlanta.

The city of Atlanta is currently struggling to rebound after a multi-day Ransomeware* attack which caused the city’s website outage. The outage prevented customers from paying bills and fees online, which freezes revenues to the city. According to this Reuters article the city was instructed to pay $51,000 in bitcoin to unlock their systems – which gives the municipality pause for so many reasons. The city is trying to identify which cyber group is responsible for this attack as they have only confirmed publicly that their systems were accessed remotely.

Wired reports that this particular malware is called a “Sam Sam” attack which, ‘infiltrates by exploiting vulnerabilities or guessing weak passwords in a target’s public-facing systems, and then uses mechanisms like the popular Mimikatz password discovery tool to start to gain control of a network. This way, the attack doesn’t need to rely on trickery and social engineering to infect victims. And SamSam has been adapted to exploit a variety of vulnerabilities in remote desktop protocols, Java-based web servers, File Transfer Protocol servers, and other public network components.

Attackers deploying SamSam are also known to choose their targets carefully—often institutions like local governments, hospitals and health records firms, universities, and industrial control services that may prefer to pay the ransom than deal with the infections themselves and risk extended downtime.

Another really frightening trend is hackers are using ransomware attacks to cover their tracks. They steal personal data or worse, then deploy the ransomware, thus making the theft much harder to detect, prosecute or remedy.
The discouraging bit of this event is that it highlights the vulnerability common to most government municipalities. Due to employees who are not well-trained on security threats, paired with tightening budgets, nearly all cities lack the funding to support proper defenses for cutting edge cyber security defense. This characteristic seems to have caught the attention of hacker groups around the world and sadly, could prompt more ransomware attacks across the nation. In fact, According to a recent report by Symantec, the number of ransomware attacks tripled in 2017.

It’s part of a growing trend that we’ve seen in the world of data management. As Bryce Austin, the author of Secure Enough states, “The problem is that cybercriminals have figured out an important new angle to their business model: companies that don’t have information that is valuable on the black market still have information that’s valuable to the company itself.”
It pains us to hear about the ongoing disruption in service that the City of Atlanta is going through, as GDV maintains DRaaS for several municipal and other government entities. We’ve performed numerous recoveries which have led to fast resolution after ransomware or other cyber attack.

Critical systems for first responders and financial portals for customers are pressure points that hackers would love to have access to, and we have mission priority to ensure any disruption in service is minimal for each of these entities. In the video below Brian Childers, president of Comport Consulting tells how, when a municipality lost its first responder exchange server, putting the lives of all those who depended on its police and fire departments at risk, a Friday night call to Global Data Vault had them back online in a couple of hours.

*Ransomware as defined by Reuters, “is a type of malware that infects computers networks and then freezes them, with the attackers demanding a ransom in order to restore services. The initial assault often comes via a phishing link that someone within the network opens on their email.”