Ransomware Alert: Lessons Learned from the City of Atlanta

by Sarah Harvey / April 3rd, 2018

What Happened in Atlanta?

On March 22, the City of Atlanta suffered from an incredibly damaging ransomware attack from SamSam. Multiple types of applications, including internal and customer-facing applications that allow bill payment and access court-related documents, were compromised. For over a week, a cross-functional incident response team made up of the FBI, Department of Homeland Security, Microsoft, Cisco Security, and Dell SecureWorks have been working to find a resolution. In the meantime, the city’s operations have been completely disrupted. Thousands of city employees could not access their computers, court dates were rescheduled, water bill payments had to be made in person by check, traffic tickets could not be processed—this ransomware attack has obstructed the day-to-day operations of the City of Atlanta.

Fortunately, some key departments were left unharmed by this attack, including public safety, the water department, and Hartsfield-Jackson Atlanta International Airport. The city reported that there’s been no evidence so far that customer or employee data has been compromised.

GENERAL REMINDER: At this time, there is no evidence to show that customer or employee data has been compromised. However, customers and employees are encouraged to take precautionary measures to monitor and protect their personal information.

— City of Atlanta, GA (@CityofAtlanta) March 28, 2018

Why Did This Ransomware Attack Happen?

The city hasn’t given an official statement on why, but speculation is that critical cybersecurity best practices were not being met. The City of Atlanta’s ISO/IEC 27001 ISMS Precertification Audit Report from January 2018, just two months prior to this ransomware attack, reveals that the city’s current Information Security Management System (ISMS) may not pass a certification audit based on gaps in policies and procedures, definitions of scope, formal risk assessment processes, vendor management processes, data classification policies, and measurement, reporting, and communication related to risk. This gap analysis speaks to the city’s current cybersecurity posture; in the past, we’ve seen that the city hasn’t always followed cybersecurity best practices.

In 2017, the City of Atlanta had five systems compromised by critical patches left not updated. Rendition Infosec’s scan indicates that the city was not patching its Internet-facing hosts that were vulnerable from April 13, 2017 to May 1, 2017—more than a month after critical patches were released my Microsoft on March 14, 2017. This specific incident of a lack of patching hasn’t been proven to be linked to Atlanta’s recent ransomware attack, but it at least shows that the city’s cybersecurity best practices are not sufficient.

Last year @RenditionSec was doing Internet wide scans for DoublePulsar infected machines. Last week the @Cityofatlanta got hit with ransomware. We dug into our data and perhaps unsurprisingly, at least 5 of their machines were compromised in April 2017.https://t.co/axFTSHHAWq

— Jake Williams (@MalwareJake) March 27, 2018

How to Prepare for a Ransomware Attack

The City of Atlanta isn’t the only municipality to fall victim to ransomware, but this attack does represent a major escalation from ransomware attacks we’ve seen so far. This year, Connecticut state agencies, the Colorado Department of Transportation, and the City of Allentown have all been hit by ransomware attacks. We see a trend of attackers targeting victims with limited IT budgets, hoping they will tradeoff a ransom for the risk of systems being down. This trend is the state of affairs for many sectors, not just the government.

Cybersecurity best practices offer protection from ransomware attacks. Because public safety services like 911, waste management and water control, and the airport were left unharmed by this attack, this tell us the City of Atlanta had implemented a critical cybersecurity best practice: segmentation. These essential departments were segmented from the rest of the city’s government services. But, the City of Atlanta has been compromised for over a week—this length of time tells us they were not fully prepared for a cybersecurity attack.

From the recent cases, we’ve found that vulnerability management, backup systems, incident response, disaster recovery, and business continuity seem to be the most vulnerable areas among victims. To proactively prepare for a ransomware attack, we recommend implementing cybersecurity best practices in these areas:

Vulnerability Management: We urge you to patch your systems in a timely manner, especially critical updates. The number one target of cyber criminals is known flaws left unpatched. Don’t leave a known vulnerability open to attack.
Backup Systems: Victims of ransomware attacks are often pressured to pay a ransom from the threat of not being able to get back all of their data. Performing regular backups on entire machines can ensure that the data that is critical to your business will still be available after an attack, and can also help make the recovery and restoration process quicker and easier. You should also maintain and test offline backups since some online services are compromised during these types of attacks.
Practicing Incident Response: Your organization’s response to a ransomware attack can’t be made up on the spot. It has to be documented, tested, and implemented. Failure to have an implemented incident response will leave your organization struggling to pick up the pieces following a breach.
Practicing Disaster Recovery and Business Continuity Plans: Day-to-day operations will most certainly be impacted by a ransomware attack. Have you practiced the manual processes that you’ll need to implement if your systems go down?

Over a week later, the City of Atlanta is still working to fully recover from this ransomware attack. The city is updating the public whenever new services have been restored.

Does your organization update patches in a timely manner? Are your systems regularly backed up? Is your incident response plan in place? Don’t let your organization be the next headline. For more information on employee training, incident response, risk assessment, penetration testing, patch management, and other cybersecurity best practices, contact us today.