It has been a quiet year so far relatively speaking for ransomware. Other than a few publicized attacks such as the Indiana Hospital in January, ransomware has been a minor contributor to the overall threat assemblage of 2018 thus far. Last week, however, the armistice ended when the ninth largest metro city in the U.S. announced that some of its operations had been halted due to a ransomware attack. The City of Atlanta made the announcement through its Twitter account that read:
“The City of Atlanta is currently experiencing outages on various customer-facing applications, including some the customers may use to pay bills or access court-related information. We will post any updates as we receive them.”
Because of the attack early Thursday morning, the city’s IT department found a number of its servers locked down as a result of the encryption attack. As a result, the city was unable to process payments or provide access to courthouse information due to the disruption to some key application systems. In addition, the websites for the Department of Public Works department and its non-emergency call center were down. The city also suspended taking applications online for current job openings and the Department of Corrections was manually processing inmates.
A city employee later sent a screenshot of a ransom note to a local television station that contained a bitcoin demand for $6,800 per system or $51,000 to unlock all affected systems. It appears from the screenshot the attack is similar to the SamSam ransomware strain used in the Indiana Hospital attack. Unlike most ransomware variants, which utilize social engineering techniques such as phishing and malicious email attachments, SamSam targets unpatched servers by scanning the Internet for open RDP connections. The attackers then use brute-force tactics on these RDP endpoints in order to seek out critical files. The ransom is to be sent to a wallet that shows a collection history of $590,000. Later that afternoon, mayor Keisha Bottoms confirmed that the breach had been ransomware and that the FBI along with incident response teams from Microsoft and Cisco were assisting with the investigation. She confirmed that operations within the city’s police department, water services, and airport were not affected by the attack. The Department of Homeland Security would join in the investigative efforts later in the day as well.
According to the City’s CIO, the attack was discovered by the city’s cybersecurity team that noticed “something that looked peculiar” one of their servers and began investigating, Questions as to whether the city has the ability to recover from data backups remain to be answered as is the question to whether the city will pay the ransom. City officials are asking all city employees to stay alert for any suspicious credit activity concerning their accounts and are offering employees additional resources to help them protect their information in the coming days if the ransomware attack is found to be a diversion for a data breach.
This was not the first such attack on a government enterprise this year. Five weeks earlier, Davidson County, North Carolina found its systems infected by the SamSam ransomware strain as well. The attack affected up to ninety servers and an unknown quantity of desktop computers and laptops that interrupted 911 Emergency Communications systems as well as the internal phone system.
On February 21, the Colorado Department of Transportation (CDOT) was hit by ransomware, decommissioning nearly all of its 2,000 computers with the SamSam malware strain. Like Davidson County, CDOT administration decided against paying the ransom and continued a 24-hour day marathon to restore the network. Eight days later, the department had managed to restore only twenty percent of its fleet from backup, only to have another attack levied upon them using a different strain that brought down all of the restored machines. Recovery efforts began from scratch and employees were told to keep all systems shut down until the source of the attack was confirmed and continue all work using pen and paper. The CDOT indicates that an imposter that was able to get onsite may have contributed to the attack.
The number of ransomware attacks is on the decline. According to a report by SonicWall, there were 184 million ransomware attacks in 2017 compared with 638 million in 2016. While the number of attacks may have subsided, the number of strains more than doubled in 2017. Researchers believe this may indicate a shift from quantity to quality. Reasons for the decline in attacks is attributed to the growing refusal for victims to pay as well as the greater utilization of tools to combat ransomware. Interestingly enough, hospital administrators of Hanhock Health chose to pay the ransom shortly after their attack in January.
Some industries, such as healthcare and government, will continue to be targeted by ransomware attacks. Many of the tools developed by the criminals behind ransomware, including fileless malware and encryption techniques, will continue to be used in different types of attacks. To escape future ransomware attacks IT pros must leverage the right technology.
Despite the decrease in attacks, ransomware accounted for 64% of all malicious emails sent in 2017 so a modern-day email security solution is essential. In addition, a complete defense strategy also includes an off-site backup strategy, a diligent patching regime, and real-time anomaly detection. We may be in a temporary lull when it comes to ransomware attacks, but it may in fact just be the calm before the storm.
Are you an IT professional that wants to ensure sensitive data and devices are protected? Talk to a specialist or email us at firstname.lastname@example.org with any questions.
Sign-up for email updates...