Earlier this month, the City of Atlanta was successfully targeted by ransomware attacks that brought down the systems of at least five local government departments. In the words of Atlanta’s Mayor Keisha Lance Bottoms, “We are dealing with a hostage situation.”
Attackers infiltrated the court system, the police department, payment portals for water bills and communication systems for critical infrastructure. Each of these areas was brought down by a single form of ransomware—a simple but effective strain called SamSam, which was first identified in 2016. Those behind SamSam are known for their highly organised methods and targeted attacks.
Since the strain was first identified, hackers have used it to make nearly a million dollars from their victims. The City of Atlanta is now left cleaning up the mess, anticipating that it will take some time to rebuild network infrastructure, systems and restore lost data. Despite the organised and sophisticated approach behind SamSam, it has exposed glaring vulnerabilities in the City of Atlanta’s cyber security practices.
SamSam gets into networks by exploiting known vulnerabilities or guessing weak passwords. It then moves laterally through networks, using means like the password discovery tool Mimikatz to penetrate deeper within. Local governments are particularly prone to SamSam attacks since it has been adapted to exploit weaknesses in remote desktop protocols, File Transfer Protocol servers, and Java-based web servers used commonly in public networks.
Targets are chosen carefully—those with small security budgets and particularly sensitive systems and data are preferred. These include hospitals, industrial control services and medical records firms in addition to local governments like Atlanta’s, with attackers judging that they would likely prefer to pay the ransom rather than deal with the infections. The ransoms are set at amounts that would be beneficial for the attacker, while being potentially affordable for the victim.
But what’s scariest about SamSam isn’t the attackers spreading it, nor their active organisation and attack methods. It’s that fact that it’s well-known, and could easily be blocked by upholding simple cybersecurity best practice. To successfully bring down five of Atlanta’s departments would indicate that their antivirus, network segmentation and backup strategies were inadequate.
Of course, this is precisely why Atlanta were targeted. Lacking resources and with no shortage of immediate priorities to please voting residents, local governments struggle to implement even basic cyber security practices. They also operate with expansive attack surfaces designed to enable flexibility, remote access and accessibility. While this is good news for employees, it’s even better news for would-be attackers.
According to the WEF’s 2018 Global Risk Report, the slow pace of organisational and institutional change is fuelling cybercriminals’ appetites. Between 2016 and 2017 Ransomware attacks increased by more than 90 percent, and while targets continue to have cyber-security low in their list of priorities it will only continue to increase.
In the long term, it is far more sustainable to implement best practice and prioritise cyber security to prevent these attacks than to suffer the expensive and chaotic consequences. So after SamSam, will government departments and agencies continue their attempts to deal with problems as they arise?
After all, Atlanta was perhaps lucky that this was a simple ransomware attack. It should be a wakeup call to all cities and government entities that the next cyber-attack may not be motivated by greed and money – but by altogether more malicious motives.
The damage caused by cyber-attacks doesn’t have to be accepted as an inevitability that must be passively endured; a proactive approach towards prevention is far more effective and beneficial than reactive recovery—especially for the taxpayer.