In March of 2018 the City of Atlanta was subjected to a ransomware attack that infiltrated and ceased the operation of multiple city services. The attack is especially noteworthy given the size and scope of the affected city, and the difficulties IT administrators had in recognizing and stopping the attack. It instantly promoted discussion among UK-based administrators and US who are in charge of cybersecurity about how to prevent such attacks in the future.
The Atlanta ransomware attack should ring alarm bells for municipalities in the U.S. and around the world. Cities frequently do not devote enough resources to defend against such attacks, and therefore do not follow the right best practices or implement the necessary technical systems. And the data contained by municipalities can be filled with personal information about residents, which can expose residents to identity theft and erode their confidence in public institutions.
Governments, utility companies, and cities should view the Atlanta attack as a “proof of concept” that will embolden hackers to commit larger scale ransomware. The hackers have leverage in these scenarios once they are able to acquire data and hold it at ransom, and at that point law enforcement and security teams are hard-pressed to stop the actual attackers.
Background on the Atlanta Attack
The attack was perpetrated by a group of hackers known as SamSam (also the name of the ransomware), and involved the hackers encrypting various city files, locking out access to various online services, and preventing court cases and warrants from proceeding. The group’s ransomware exploits deserialization vulnerability in Java-based servers, as the city has many possible public-facing entry points such as FTP servers and various VPNs. Also, many of these services were operating with Server Message Block (SMBv1) enabled, which has known security issues.
Analysts say SamSam often gains access to systems and then waits a few weeks before encrypting data and then demanding ransom. Such moves make it difficult to pinpoint when and how the ransomware was able to gain access. The hackers demanded $51,000 in Bitcoin as ransom, an amount that is in line with other cases where the hackers know the ransom amount is considerably less than the IT costs of stopping the hack, or the loss of revenue when systems are offline.
Mitigating the Threats with Best Practices
Investigation of the circumstances surrounding the attack occurred nearly immediately, as cybersecurity experts tried to piece together the incident. Many concluded that NSA system exploits that were stolen in 2016 played a role, as these detailed some serious Microsoft vulnerabilities. Microsoft did quickly offer patches, which it urged users to implement, but it appears that Atlanta’s IT group was weeks late in implementing the patches, which led to the vulnerability. Cities that want to avoid the massive disruption of such ransomware attacks should employ best practices, including:
- Backup data all vital data. Hackers are looking to corrupt the data for ransom, not use it for their own devices. Backing up the data makes their tactics inconsequential because it removes leverage.
- Install the latest security patches for mobile devices and any operating systems.
- Install application updates, with special attention paid to update older browsers that can contain multiple vulnerabilities.
- Mandate usage of desktop malware prevention solutions to help stop threats.
- Develop contingency plans in the case of a successful ransomware attack
- Conduct testing such as penetration tests to spot (and subsequently fix) vulnerabilities
An additional necessary step for municipalities is to recognize the problem is a human issue. Technology training is essential for all staff members so they understand the broader and task-specific security processes and how to develop smart security habits. Training should occur early and often to create a front-line defense against hacking exploits that are due to human error. The training should include tips on how to eliminate the use of email attachments, avoiding the opening of unknown-sender files, and not clicking on strange emails or links.
For cities, the possibility of a cyber attack is simply an inevitability.
Attacks such as the 2016 breach of San Francisco rail system’s payment platform resulted in free rides for passengers, but could have been disastrous if the hackers targeted control and safety functions. The Mayor of Atlanta, Keisha Lance Bottoms, commented, “I just want to make the point that this is much bigger than a ransomware attack. This is really an attack on our government, which means it’s an attack on all of us.”
Attackers will likely ransom water or energy services in the future, an act that would put lives directly at risk and would put utilities and cities in very precarious situations. It’s only a matter of time before a city in the UK is targeted, and city planners must have strategies such as better training and backups in place to prevent or at the very least mitigate such attacks.