The city of Atlanta was recently hit with a ransomware attack that took down several major computer systems providing city services. The hackers demanded $51,000 to decrypt the systems. Described by the mayor as a “hostage situation”, the city had to pull in resources from the FBI, Secret Service, and Department of Homeland Security, as well as other academic and private institutions. The cost of the attack was last reported at $5 million USD…and that number doesn’t even include the cost of lost employee productivity.
Systems were down for more than 5 days – preventing residents from paying their water bills or parking tickets, police and other city employees had to revert to pen and paper and manually write out reports, and court proceedings had to be cancelled. For over a week, it was a fight to keep the city government running, and several days later departments were still struggling to regain normal operations.
The form of ransomware used, SamSam, infiltrates organizations’ networks by exploiting common vulnerabilities or guessing weak passwords on external systems, and then uses other tools, like Mimikatz password discovery, to start to gain control of a network. Once attackers enter the network, they try to move laterally across networks, spending time getting positioned and locating all critical services they can access and potentially disable, before they start encrypting systems. Ideally, organizations will detect them before they start the encryption, but many times, due to a lack of intrusion detection tools in place or regular vulnerability scanning, organizations do not become aware until they can’t access their data or a message appears demanding a ransom payment.
The attackers deploying SamSam are smart and choose their targets carefully, often selecting institutions like local governments, hospitals, and universities that may be more likely to pay the ransom fee, rather than risk extended downtime.
City governments often have limited IT budgets to dedicate towards information security, instead allocating the majority of their funds to meeting immediate needs and completing public works projects. And with limited resources, information security best practices can be challenging to implement and maintain. Recent news reports detail multiple audits that had been performed within the city of Atlanta, documenting known security weaknesses and vulnerabilities, and lack of business continuity and disaster recovery plans, but mitigation efforts were not made a priority.
The Mayor of Atlanta admitted that cybersecurity had not been a high priority and actually used the analogy of an old truck she had. She didn’t think she had to replace it until she was in a wreck, and then she would have no choice but to replace it. The city should have updated their security systems well before this incident occurred because, now that they have been breached, they are being forced to take action to resolve the issue and secure their systems – but in a much more frantic manner, with more people involved, more visibility, and at a much more significant cost.
Choosing to make these types of tradeoffs and ignoring known lapses in security make organizations ideal targets for these types of attacks. This attack should serve as a wake-up call for many that have not taken basic defensive steps to secure their systems – things like replacing outdated systems, patching existing software, vulnerability scanning, backing up critical information, etc. Luckily, for the city of Atlanta, emergency systems like 911 were not affected, but we have seen other cities that have had alarm/tornado sirens hacked, railway and transit systems targeted, and attacks on utilities like power grids and water plans.
It is imperative that state and local agencies invest in cyber security and implement comprehensive information security programs, coordinate security measures across locations, and thoroughly test new technologies, as their citizens are counting on them to protect their infrastructure and community.
Some additional guidance from Security Advisor team below:
[Gilmore]: I have experienced this kind of attack and it is devastating. Shame on this administration to believe that systems and security procedures do not need to be reviewed. The people of Atlanta are forced to trust this process, and they have been let down tremendously. Institutions and businesses have asked me several times what can they do to get management to understand the importance of Information security. These IT staff have been put on the back burner for years having to wait behind upgraded offices and parties. My ultimate response is, “You might have to have a breach.” Information security does not need to be in that kind of spotlight. Mange the technical infrastructure right; set aside the appropriate budget to maintain what is in place, and replace what needs to go. Also remember that in order to properly maintain all of these devices, make sure there are enough capable people to handle the job and give them the authority to make decisions to keep the network secure.
