For over a week, the city of Atlanta has been fighting a ransomware attack that has led to serious digital disruption in five of the 13 local government departments. The raid had far-reaching effects – paralyzing the court system, preventing residents from paying their water bills, limiting vital communications such as sewage infrastructure inquiries, and forcing Atlanta police to submit paper reports for days on end. It was a devastating bombing – all caused by a standard but notoriously effective ransomware called SamSam.
"It is important to understand that our entire operations have been significantly impacted and it will be some time before we work through our systems and infrastructure," a spokesman for the city of Atlanta said in a statement Thursday.
Atlanta is facing a tough opponent, clearing up this mess. While dozens of useful ransomware programs circulate at any given time, SamSam and the attackers who use it are best known for clever, high-yield approaches. The specific malware and attackers, combined with what analysts view as lack of readiness due to the amount of downtime, explain why the Atlanta infection was so weak.
& # 39; The most interesting thing about SamSam is not the malware, it's the attackers. "
Jake Williams, Rendition Infosec
SamSam was first identified in 201
Attackers using SamSam also carefully choose their goals – often institutions such as local governments, hospitals and health professionals, universities and industrial control services who may want to pay the ransom rather than dealing with the infections themselves and risking longer downtime , They set the ransom – $ 50,000 in the case of Atlanta – to price points that are potentially manageable for victim organizations and worthwhile for attackers.
And unlike ransomware infections that are passive, SamSam attacks may involve active oversight. Attackers adapt to a victim's response and try to endure through remedial efforts. That was the case in Atlanta, where attackers proactively pulled down their payment portal after local media made the address public, causing a flood of inquiries, with law enforcement agencies like the FBI close behind them.
"The most interesting thing about SamSam It's not the malware but the attackers," says Jake Williams, founder of Georgia-based security company Rendition Infosec. "Once they enter a network, they move sideways and spend time positioning themselves before they start encrypting machines – ideally, organizations will recognize them before they start encrypting, but that was clearly not the case."
Hackers with SamSam have been careful to hide their identity and blur their tracks. A February report from security firm Secureworks, which is now working with the city of Atlanta to redevelop the attack, concluded that SamSam is being used by either a specific group or a network of related attackers. However, little is known about the hackers, although they have actively turned to institutions across the country. Some estimates suggest that SamSam has raised nearly $ 1 million since December, thanks to a series of attacks earlier this year. The total amount largely depends on the fluctuating value of Bitcoin.
Despite all this, security best practices – keeping all systems patched, storing segmented backups, and having a ransomware preparedness plan – can still provide real protection against SamSam infections.
"Ransomware is stupid," says Dave Chronister, founder of corporate and government defense firm Parameter Security. "Even a sophisticated version like this must rely on automation to operate, and Ransomware relies on someone who does not implement basic safety science."
& # 39; Not hard, but if you look at that, your security strategy needs to be pretty bad. & # 39;  Dave Chronister, Parameter Safety
The city of Atlanta seems to have fought in this area. Rendition InfoSec Williams released evidence on Tuesday that the city had a cyberattack in April 2017 that exploited the EternalBlue Windows network file vulnerability to infect the system with the backdoor DoublePulsar, which is used to load malware into a network. EternalBlue and DoublePulsar infiltration systems are using the same types of public exposures that SamSam is looking for, Williams says Atlanta has not blocked its government networks.
"The DoublePulsar results definitely indicate poor hygiene safety It will be suggested that this is a continuing problem and not a one-off."
Although Atlanta will not comment on the details of the current ransomware attack, a report from the City Auditor's Office from January 2018 that the city recently failed a security compliance assessment. "Atlanta Information Management (AIM) and the Office of Information Security have strengthened information security since the certification project began in 2015," the report said. "The current Information Security Management System (ISMS), however, has gaps that would prevent it from passing a certification audit, including … lack of formal processes to identify, assess and mitigate risks … while stakeholders are taking over the city Security checks to protect information resources, many processes are ad hoc or undocumented, at least in part due to the lack of resources. "
Chronicles Parameter Security says that these struggles are obvious from the outside and that the length of the current failures clearly indicate lack of resources Willingness. "If you have systems that have failed completely, not only does your antivirus program fail, and not only did your segmentation fail, but your backups failed or did not exist, not too hard, but with a view to their security strategy pretty bad. "
Atlanta is certainly not alone in its readiness issues. Municipalities often have a very limited IT budget and prefer to use funds to cover immediate needs and to carry out public construction projects rather than cyber-defense. And with limited resources – both money and experts – standard security best practices can be a real challenge. Administrators may want to have remote desktop access to a city network, which would allow for more control and quick troubleshooting – while creating a potentially dangerous exposure.
These types of compromises and errors make many networks SamSam targets in communities and beyond. But if all the other high-level ransomware attacks that have taken place in recent years were not enough to put institutions and communities to flight, there may be the Atlanta meltdown.