Nearly a week after it became the target of one of the largest ransomware attacks to date, the City of Atlanta has made progress toward recovery, but it is still far from business as usual. Hackers encrypted many of the city government’s vital data and computer systems.
The ransomware attack, which Mayor Keisha Lance Bottoms characterized as “a hostage situation,” forced the city to shut down municipal courts and even prevented residents from paying bills online. The city has been unable to issue warrants, and in many cases city employees have had to fill out forms and reports by hand.
The hackers demanded that officials pay a ransom of US$51,000 to be sent to a bitcoin wallet.
Threat researchers from Dell-owned Secureworks, which is based in Atlanta, have been working to help the city recover from the attack.
The security firm identified the assailants as the SamSam hacking group, The New York Times reported on Thursday. That organization has been known for similar ransomware attacks; it typically makes ransom demands of $50,000 or more, usually payable only with bitcoin.
Secureworks has been working with the city’s incident response team as well as the FBI, the Department of Homeland Security and the U.S. Secret Service. In addition, a number of independent experts, including researchers from Georgia Tech, have been called in to determine how the attack occurred and help strategize to prevent another such attack.
As of Thursday, the city’s Department of Information Management, which first discovered the attack on March 21, said that it had found no evidence that customer or employee data was compromised. It nevertheless encouraged everyone to take precautionary measures, including the monitoring of personal accounts and protecting personal information.
The attack on Atlanta remains one of the largest ransomware attacks to date. It actually is much bigger than a cyberthreat, Mayor Bottoms said earlier this week. It’s an attack on the government and its citizens.
“Ransomware attacks are a reality for many businesses, and unfortunately, this instance is likely not the last,” said Sam Elliott, director of security product management at Bomgar.
“Ransomware is one of the easiest ways to monetize a successful breach of security, and as such it continues to be favored by many hackers,” noted Eytan Segal, principal product manager at Check Point.
“This recent breach of the Atlanta local government is a good example of how devastating and frustrating these attacks can be when they succeed,” he told TechNewsWorld.
However, the city’s quick response may have limited the potential for greater damage.
“From a response standpoint, the city is doing the best that it can,” said Raj Rajamani, vice president of product management at SentinelOne.
“By immediately cutting employees off from their devices, they may have helped minimize the spread of the ransomware,” he told TechNewsWorld.
Atlanta’s data reportedly has been held for ransom using AES 256-bit encryption, which is one of the most secure encryption methods. It is used in many modern algorithms.
There is no guarantee that the SamSam threat actors actually would release the files and decrypt the data if the ransom were paid. However, these particular hackers have released systems targeted in past attacks.
Generally, those holding files for ransom do release them, as failure to do so would make future threats meaningless and no one would pay.
Still, the city has given no indication that it will bow to the ransomware demands. Atlanta could be in the fortunate position of having the option to refuse them.
The city’s IT department has done its due diligence in backing up critical data, and many of Atlanta’s critical services have been moved to the cloud. In addition, the city’s networks have been segmented from other systems. As a result, public safety systems and the Atlanta Hartsfield Airport have not been affected by this attack.
Recovery will be slow if the ransom is not paid but not impossible.
“Subtle details in your backup strategy can make all the difference in the world when you would try to recover after a ransomware attack,” cautioned Jim Purtilo, associate professor in the computer science department at the University of Maryland.
“The balancing act is between integrity and availability of your data,” he told TechNewsWorld.
On one hand, you would want very strong protections between your live system and the repository for its backup, Purtilo pointed out. You wouldn’t want a similar exploit to lock up the recovery data, but off-site storage is a common way to ensure that systems are isolated.
“Yet on the other hand, the more isolated are our data, the more is the challenge for keeping backups updated,” he added. “After cleaning a production system of malware, you might recover most data from off site, but it would still be pretty disruptive to lose data that changed following some checkpoint.”
Preventing Future Attacks
Atlanta’s attack should be a warning to other cities and organizations that efforts need to be made to harden systems.
“Cover all your IT assets. IT environments are complex, very complex, and they span desktop and laptops, mobile devices, servers and the cloud,” said Check Point’s Segal.
“Companies should seek to adopt a unified solution that is architected to cover all these elements, includes all layers of advanced protections, and focuses on preventing attacks rather than detecting them,” he recommended.
“Maintaining a regular patching routine closes potential holes in an organizations’ infrastructure, keeping attackers at bay,” Bomgar’s Elliott told TechNewsWorld.
“Infrastructure teams should also better segment their IT systems to prevent future malware from spreading laterally through connected networks, to prevent potential for extensive damage,” he added.
The Human Element
Proactive protection also should include employee training, as these attacks often involve social engineering or human error.
“Typically, SamSam ransomware victims are infected by clicking on a malicious link, opening an email attachment, or through malvertising,” noted SentinelOne’s Rajamani.
The SentinelOne Global Ransomware Report found than 58 percent of ransomware infections in the public sector were caused by employee carelessness, he pointed out.
“Every city and government organization should assume they’re a target,” warned Rajamani. “Attacks like the one in Atlanta are about more than just criminal payouts — they’re paralyzing attacks that can bring a city to its knees, as we’re seeing.”