1. IT-Security >
  2. Cyber Security Nachrichten >
  3. Ransomware Hits City of Atlanta


ArabicEnglishFrenchGermanGreekItalianJapaneseKoreanPersianPolishPortugueseRussianSpanishTurkishVietnamese

Ransomware Hits City of Atlanta

RSS Kategorie Pfeil IT Security Nachrichten vom | Quelle: feedproxy.google.com Direktlink öffnen

A ransomware attack -- possibly a variant of SamSam -- has affected some customer-facing applications and some internal services at the City of Atlanta. The FBI and incident response teams from Microsoft and Cisco are investigating. The city's police department, water services and airport are not affected.

The attack was detected early on Thursday morning. By mid-day the city had posted an outage alert to Twitter. In a press conference held Thursday afternoon, mayor Keisha Bottoms announced that the breach had been ransomware. She gave no details of the ransomware demands, but noticeably declined to say whether the ransom would be payed or refused.

Bottoms could not at this stage confirm whether personal details had also been stolen in the same breach, but suggested that customers and staff should monitor their credit accounts. Questions on the viability of data backups and the state of system patches were not clearly answered; but it was stressed that the city had adopted a 'cloud first' policy going forwards specifically to improve security and mitigate against future ransomware attacks.

A city employee obtained and sent a screenshot of the ransom note to local radio station 11Alive. The screenshot shows a bitcoin demand for $6,800 per system, or $51,000 to unlock all systems. It is suggested that the ransom note is similar to ones used by the SamSam strain of ransomware. Steve Ragan subsequently tweeted, "1 local, 2 remote sources are telling me City of Atlanta was hit by SamSam. The wallet where the ransom is to be sent (if they pay) has collected $590,000 since Jan 27."

SamSam ransomware infected two healthcare organizations earlier this year. SamSam is not normally introduced via a phishing attack, but rather following a pre-existing breach. This could explain the concern over data theft on top of the data encryption. It also raises the question over whether the initial breach was due to a security failure, an unpatched system, or via a third-party supplier.

Ransomware is not a new threat, and there are mitigations -- but it continues to cause havoc. Official advice is, wherever at all possible, refuse to pay. The theory is if the attackers cease getting a return on their attacks, they will turn to something easier with a better ROI on their time. This approach simply isn't working.

Sometimes payment can be avoided by recovering data from backups. But this isn't always possible with SamSam. In the Hancock Health SamSam incident earlier this year, the organization decided to pay the ransom "to expedite our return to full operations", despite having backups. In the event, the SamSam attackers had already closed this route. "Several days later," announced CEO Steve Long, "it was learned that, though the electronic medical record backup files had not been touched, the core components of the backup files from all other systems had been purposefully and permanently corrupted by the hackers."

It isn't yet known whether the City of Atlanta attack is definitely a SamSam attack, whether the system was breached prior to file encryption, nor whether backup files have been corrupted. These details should become clear over time. The fact that Hancock Health decided to pay the ransom, and had its systems back up and running within days, may become part of Atlanta's decision on whether to pay or not.

Apart from recovering from backups or paying the ransom, the only other option (assuming that there are no decryptors available from the NoMoreRansom project) is to stop the encryption the moment it starts. Traditional anti-malware perimeter detection will not stop modern malware. That means prevention requires very rapid and early detection.

"Ransomware spreads like wild fire, and is the most time critical of cyber threats," comments Matt Walmsley, EMEA Director at Vectra. "The ability to detect the pre-cursor behaviors of ransomware is the only way to get ahead of the attack. Unfortunately, that's almost impossible to do using traditional manual threat hunting techniques. That's why forward-thinking enterprises are increasingly using an automated approach, using AI-powered threat detection. You need to detect and respond at machine speed."

Timely patching is also vital, especially where the attacker breaches the system prior to encryption. "When you are told to patch months before and witness precursor warnings like WannaCry and NotPetya going by," exhorts Yonathan Klijnsma, threat researcher at RiskIQ, "well, you damn well better patch. If your organization's patch management is so problematic that it takes this long, you have to change it. Events of this potential magnitude and impact require management to respond by elevating maintenance and patching to mission critical status until they are resolved. The ROI is clear, consider the costs and material loss of your company going down for a day, versus shifting priorities to give your engineers more time to manage patches properly. It's not a good time to roll the dice."

Connected cities are becoming increasingly like large corporations. "A city has some hallmark characteristics of a large enterprise," suggests Rapid7's chief data scientist, Bob Rudis: "there are a large number of employees and contractors with a diverse array of operating systems, hardware and data types that all need protection. Beyond financial account information and general personally identifiable information (PII), city-related systems and networks can and do contain court and criminal records, tax records, non-public information on police and other protective services employees, department activities/plans and more. Much of this is extremely sensitive data and would be treasure trove of information, capable of being used in a diverse array of disruptive, targeted attacks against both individuals and entire departments."

What all this means is anti-ransomware preparations require at least three layers of defense: off-site backups; an efficient patch regime; and real-time anomaly detection. Relying on IT staff 'noticing something peculiar' (as happened with the City of Atlanta) is simply not good enough.

Related: Insurance Firm Directs Response in Madison County Ransomware Attack  

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.
...

Webseite öffnen Komplette Webseite öffnen

Newsbewertung

Kommentiere zu Ransomware Hits City of Atlanta






Ähnliche Beiträge

  • 1. Ransomware Hits City of Atlanta vom 283.56 Punkte ic_school_black_18dp
    A ransomware attack -- possibly a variant of SamSam -- has affected some customer-facing applications and some internal services at the City of Atlanta. The FBI and incident response teams from Microsoft and Cisco are investigating. The city's police dep
  • 2. Ransomware Hits City of Atlanta vom 283.56 Punkte ic_school_black_18dp
    A ransomware attack -- possibly a variant of SamSam -- has affected some customer-facing applications and some internal services at the City of Atlanta. The FBI and incident response teams from Microsoft and Cisco are investigating. The city's police dep
  • 3. Atlanta City Government Systems Down Due To Ransomware Attack vom 158.61 Punkte ic_school_black_18dp
    An anonymous reader quotes a report from Ars Technica: The city of Atlanta government has apparently become the victim of a ransomware attack. The city's official Twitter account announced that the city government "is currently experiencing outages on
  • 4. Atlanta Still Struggles To Recover From Ransomware Attack vom 122.57 Punkte ic_school_black_18dp
    An anonymous reader quotes Reuters: Atlanta's top officials holed up in their offices on Saturday as they worked to restore critical systems knocked out by a nine-day-old cyber attack that plunged the Southeastern U.S. metropolis into technological chaos
  • 5. Statistics Say Don't Pay the Ransom; but Cleanup and Recovery Remains Costly vom 121.02 Punkte ic_school_black_18dp
    Businesses have lost faith in the ability of traditional anti-virus products to detect and prevent ransomware. Fifty-three percent of U.S companies infected by ransomware in 2017 blamed legacy AV for failing to detect the ransomware. Ninety six percent of
  • 6. Atlanta Projected To Spend At Least $2.6 Million on Ransomware Recovery vom 113.22 Punkte ic_school_black_18dp
    Atlanta is setting aside more than $2.6 million on recovery efforts stemming from a ransomware attack, which crippled a sizable part of the city's online services. ZDNet reports: The city was hit by the notorious SamSam ransomware, which exploits a deserialization
  • 7. WiFi Phishing Attacks Discovered Around Atlanta City Hall vom 111.62 Punkte ic_school_black_18dp
    As Atlanta continues to fully recover from March's ransomware attack, new evidence discovered today by Coronet reveals hundreds of active Wi-Fi phishing attacks currently ongoing both inside of and in close proximity to Atlanta City Hall. From a report:
  • 8. TA17-132A: Indicators Associated With WannaCry Ransomware vom 109.12 Punkte ic_school_black_18dp
    Original release date: May 12, 2017 | Last revised: May 19, 2017Systems Affected Microsoft Windows operating systems Overview According to numerous open-source reports, a widespread ransomware campaign is affecting various organizations with repor
  • 9. Atlanta Ransomware Attack Wiped Out Years of Police Dashcam Footage vom 106.54 Punkte ic_school_black_18dp
    A ransomware attack targeting the city of Atlanta wiped out years of dashcam footage generated by the Atlanta Police Department. In an exclusive interview with The Atlanta Journal-Constitution and Channel 2 Action News, Atlanta Police Chief Erika Shi
  • 10. Backdoored Ransomware for Educational Purposes vom 105.88 Punkte ic_school_black_18dp
    Here is an interesting article I found this week, it's about how A researcher released two pieces of 'educational' ransomware which were secretly backdoored in order to own some advanced and prolific cyber-criminals a small number of scriptkiddies. T
  • 11. Backdoored Ransomware for Educational Purposes vom 105.88 Punkte ic_school_black_18dp
    Here is an interesting article I found this week, it's about how A researcher released two pieces of 'educational' ransomware which were secretly backdoored in order to own some advanced and prolific cyber-criminals a small number of scriptkiddies. T
  • 12. Backdoored Ransomware for Educational Purposes vom 105.88 Punkte ic_school_black_18dp
    Here is an interesting article I found this week, it's about how A researcher released two pieces of 'educational' ransomware which were secretly backdoored in order to own some advanced and prolific cyber-criminals a small number of scriptkiddies. T