City officials in Atlanta have continued to recover after the ransomware attack on municipal computer systems late last month that reportedly hit at least five out of 13 departments. This cyber attack knocked out numerous city services, kept residents from paying bills and limited some communication between departments. It even forced some departments, including units of the Atlanta Police Department, to revert to paper records.
This attack should serve as a warning to other communities that their own systems are vulnerable to a similar attack.
“The Atlanta event is stunning because of where it can lead, the outages that occurred and resulted in the shutdown of services at local government offices,” said Richard Blech, CEO of Secure Channels Inc. “This attack serves as a proving ground of bringing ransomware to a higher level – i.e. municipalities, utilities and government – and has turned out to be successful.”
For those reasons, agreed another expert, it should serve as a warning sign to the entire cybersecurity community.
“The fact that this doesn’t happen more frequently or hasn’t yet happened is actually more surprising than the fact that Atlanta was crippled this way,” Ed McAndrew, partner at the Ballard Spahr law firm and a former cybercrimes federal prosecutor, told Homeland Security Today.
Atlanta’s recovery has been slow, and a vast amount of data may be unrecoverable.
This is in part because of a failure to have a plan in place to deal with such an attack – including not just how to stop it, but how to deal with the fallout and recovery afterward.
“Cities are prepared for earthquakes and tornadoes as well as other natural disasters, so it is clear they understand recovery, but this attack suggests that they may not be prepared for a digital recovery,” Dr. Rhonda Chicone of the school of information technology at Purdue University Global told HSToday.
“We needed to scare the stakeholders, but it is unclear if this will be the wake-up call,” added Chicone. “Atlanta didn’t learn from the cyber attack on Alabama or Sacramento. So will we learn from Atlanta? Perhaps the final costs will shock other cities into taking this threat more seriously.”
Social Engineering Concerns
Atlanta was the target of the SamSam ransomware, which is known to be particularly advanced. It infiltrates by exploiting vulnerabilities including weak passwords on the target’s public-facing systems. It further utilizes techniques such as the Mimkatz password recovery tool as a way to seize control of the rest of the network.
Thus, it doesn’t rely on traditional social engineering attacks such as tricking users into clicking on a bad link or getting someone to inadvertently run malware for it to spread. Instead, SamSam can spread via remote desktop protocols as well as Java-based web servers and FTP (File Transfer Protocol) systems.
“Ransomware is about exploiting basic weaknesses in services,” explained Nitin Donde, COO at Imanis Data. “It doesn’t have to rely on users alone to do bad things. In many cases it is weaknesses in the systems, which is like leaving the door to your house open so that bad guys can just walk in.”
There is still the fear that social engineering can present as a factor in the spread of ransomware, as well.
“Of course, we need to be careful, we have to become the human firewall,” added Chicone. “We need to step back when we are using technology. Social engineering is easy to conduct, but it isn’t the only way criminals take over these systems. The criminal is always going to take the path of least resistance and highest reward.”
Recovery Options
Regardless of how the damage was done, the concern remains that few organizations or cities have a reliable recovery plan in place. Just as a city should have a recovery plan for a natural disaster so, too, should one be in place for this sort of digital disaster.
“The loss or exposure of data is not the main purpose of a ransomware attack. The intention is not to steal data; they simply corrupt it so it is inaccessible,”explained Secure Channels Inc.’s Blech. “If there were a backup, the exploitation would be inconsequential and the criminal would have no leverage. Atlanta’s attack illustrates the importance of why organizations should secure backup data outside the reach of hackers.”
This should be seen as an affordable insurance policy, added Donde.
“It is important to get the data up quickly, and that shouldn’t be hard to do if you regularly back up,” Donde told HSToday. “It is inexpensive, but it isn’t implemented enough.”
Danger of Negotiating with Hackers
Whether this happens on a personal level, a corporate level or even at the community level, the FBI discourages paying ransom as it could encourage future attacks.
“Behind the scenes there is always going to be a cost-benefit analysis, and it certainly happens in the private sector,” said McAndrew. “The sad truth is ransoms can actually be fairly reasonable. It has been something that people are willing to pay.”
Recent ransomware attacks mainly have been about financial gain for the hackers and the damage they inflict has to be limited.
“Under the current method it is just money, and this just a financial motive,” added McAndrew. “They don’t want to do too much damage and usually will return your data.”
The danger is that similar attacks could be conducted by those not motivated by financial reward at all.
“The object changes with threat actors and could be not just be ransomware but wiperware attacks where the data is destroyed, because that is when serious damage will occur,” noted McAndrew. “No matter what the motive this should be a warning that malware is getting in these systems, and we need not to focus on the price tag, but on the vulnerabilities that allow these attacks to occur.”
