For over a week, the City of Atlanta has battled a ransomware attack that has caused serious digital disruptions in five of the city’s 13 local government departments. The attack has had far-reaching impacts—crippling the court system, keeping residents from paying their water bills, limiting vital communications like sewer infrastructure requests, and pushing the Atlanta Police Department to file paper reports for days. It’s been a devastating barrage—all caused by a standard, but notoriously effective strain of ransomware called SamSam.
“It’s important to understand that our overall operations have been significantly impacted and it will take some time to work through and rebuild our systems and infrastructure,” a spokesperson for the City of Atlanta said in a statement on Thursday.
Atlanta faces a tough opponent in cleaning up this mess. While dozens of serviceable ransomware programs circulate at any given time, SamSam and the attackers who deploy it are particularly known for clever, high-yield approaches. The specific malware and attackers—combined with what analysts see as lack of preparedness, based on the extent of the downtime—explain why the Atlanta infection has been so debilitating.
‘The most interesting thing about SamSam isn’t the malware, it’s the attackers.’
Jake Williams, Rendition Infosec
First identified in 2015, SamSam’s advantages are conceptual as well as technical, and hackers make hundreds of thousands, even millions of dollars a year by launching SamSam attacks. Unlike many ransomware variants that spread through phishing or online scams and require an individual to inadvertently run a malicious program on a PC (which can then start a chain reaction across a network), SamSam infiltrates by exploiting vulnerabilities or guessing weak passwords in a target’s public-facing systems, and then uses mechanisms like the popular Mimikatz password discovery tool to start to gain control of a network. This way, the attack doesn’t need to rely on trickery and social engineering to infect victims. And SamSam has been adapted to exploit a variety of vulnerabilities in remote desktop protocols, Java-based web servers, File Transfer Protocol servers, and other public network components.
Attackers deploying SamSam are also known to choose their targets carefully—often institutions like local governments, hospitals and health records firms, universities, and industrial control services that may prefer to pay the ransom than deal with the infections themselves and risk extended downtime. They set the ransoms—$50,000 in the case of Atlanta—at price points that are both potentially manageable for victim organizations and worthwhile for attackers.
And unlike some ransomware infections that take a passive, scattershot approach, SamSam assaults can involve active oversight. Attackers adapt to a victim’s response and attempt to endure through remediation efforts. That has been the case in Atlanta, where attackers proactively took down their payment portal after local media publicly exposed the address, resulting in a flood of inquiries, with law enforcement like the FBI close behind.
“The most interesting thing about SamSam isn’t the malware, it’s the attackers,” says Jake Williams, founder of the Georgia-based security firm Rendition Infosec. “Once they enter a network, they move laterally, spending time getting positioned before they start encrypting machines. Ideally organizations will detect them before they start the encryption, but that clearly wasn’t the case” in Atlanta.
Hackers using SamSam have so far been careful about hiding their identities and covering their tracks. A February report by the threat intelligence firm Secureworks—which is now working with the City of Atlanta to remediate the attack—concluded that SamSam is deployed by either one specific group or a network of related attackers. But little else is known about the hackers in spite of how actively they’ve targeted institutions around the country. Some estimates say that SamSam has already collected almost $1 million since just December—thanks to a rash of attacks at the beginning of the year. The total largely depends on the fluctuating value of Bitcoin.
In spite of all of this, security best practices—keeping all systems patched, storing segmented backups, and having a ransomware preparedness plan—can still offer real protections against SamSam infection.
“Ransomware is dumb,” says Dave Chronister, founder of the corporate and government defense firm Parameter Security. “Even a sophisticated version like this has to rely on automation to work. Ransomware relies on someone not implementing basic security tenets.”
‘Not to be harsh, but looking at this their security strategy must be pretty bad.’
Dave Chronister, Parameter Security
The City of Atlanta seems to have struggled in that area. Rendition InfoSec’s Williams published evidence on Tuesday that the City also suffered a cyberattack in April 2017, which exploited the EternalBlue Windows network file sharing vulnerability to infect the system with the backdoor known as DoublePulsar—used for loading malware onto a network. EternalBlue and DoublePulsar infiltrate systems using the same types of publicly accessible exposures that SamSam looks for, an indication, Williams says, that Atlanta didn’t have its government networks locked down.
“The DoublePulsar results definitely point to poor cybersecurity hygiene on the part of the City and suggest this is an ongoing problem, not a one time thing.”
Though Atlanta won’t comment on the details of the current ransomware attack, a City Auditor’s Office report from January 2018 shows that the City recently failed a security compliance assessment. “Atlanta Information Management (AIM) and the Office of Information Security have strengthened information security since beginning the … certification project in 2015,” the report notes. “The current Information Security Management System (ISMS), however, has gaps that would prevent it from passing a certification audit, including … lack of formal processes to identify, assess, and mitigate risks … While stakeholders perceive that the city is deploying security controls to protect information assets, many processes are ad hoc or undocumented, at least in part due to lack of resources.”
Parameter Security’s Chronister says that these struggles are obvious from the outside and that the length of the current outages clearly indicate lack of preparedness of some sort. “If you have systems that are completely down that tells me that not only did your antivirus fail, and not only did your segmentation fail, your backups also failed or don’t exist. Not to be harsh, but looking at this their security strategy must be pretty bad.”
Atlanta is certainly not alone in its preparedness issues. Municipalities often have a very limited IT budget, preferring to channel funds into meeting immediate needs and completing public works projects rather than cyberdefense. And with limited resources—both money and expert time—standard security best practices can be challenging to actually implement. Administrators may want to have remote desktop access into a city network, which would allow for more oversight and quick troubleshooting response—while at the same time creating a potentially dangerous exposure.
These types of tradeoffs and lapses make lots of networks potential SamSam targets across local government and beyond. But if all the other high-profile ransomware attacks that have occurred over the last few years haven’t been enough to scare institutions and municipalities into action, maybe the Atlanta meltdown finally will.