The age of server-side ransomware is here. On March 22, 2018, the hacker group known as SamSam gained access to the city of Atlanta’s municipal server. Once the server was held hostage, the group shut down all official city computers and demanded $51,000 in Bitcoin. SamSam is known for pursuing attacks similar to this one, occurring at least as far back as 2016 and typically affecting hospitals and healthcare networks, in which they demand sums of money over $50,000. But more than the cost of the initial “digital extortion”, the true financial cost of this attack to the city, according to the Atlanta Journal-Constitution, is at $2.7 million and rising.
This shutdown did not just affect government officials and offices: it impacted the entire city’s populace. Residents were unable to pay bills online, police were unable issue warrants, and city employees were forced to fill out countless forms and reports by hand. According to Cisco Talos, “SamSam is not launched via user-focused attack vectors, such as phishing campaigns and exploit kits, [but is] distributed via compromising servers and using them as a foothold to move laterally through the network to compromise additional machines, which are then held for ransom.” This server-side attack type is particularly malicious because users have no way to avoid infection, and file encryption occurs across workstations connected to the network rather than on a single user’s machine. Additionally, the ransomware may remain essentially dormant for weeks before encrypting files, making it more difficult to respond to the initial attack and leaving the door open for the hackers to strike twice.
Responding to incidents of this type requires more than having an internal IT process in place: input is needed from multiple outside resources and law enforcement. The city of Atlanta has been working with the FBI, Department of Homeland Security, and US Secret Service, as well as several independent researchers from Georgia Tech, to figure out how the hackers gained access and ways to prevent similar attacks from occurring. The city is advising everyone using their systems to take precautionary measures, including monitoring bank accounts and changing passwords associated with government accounts.
Precautions & Prevention
An attack of this scale is inevitable in the digital age, but is preventable with the proper precautions. RedLegg provides services that address such precautions to prevent ransomware attacks from occurring, including Managed Security Services (MSS) that employ threat intelligence (TI) platforms. Cisco’s Talos network, referenced through (TI) platform vendors, maintains targeted rules and signature families that address specific malware and ransomware threats, including SamSam. RedLegg MSS offers additional services that are recommended by cybersecurity experts, including:
- Advanced Malware Protection (AMP) to detect and prevent the execution of malware on targeted systems
- Cloud web security or security appliance scanning to monitor and prevent access to malicious websites
- Intrusion Protection Systems (IPS) and next-generation firewall (NGFW) appliance monitoring for up-to-date signatures that detect malicious network activity
Additionally, RedLegg’s Advisory services can provide a virtual Chief Information Officer (vCISO) for organizations that lack the budget and resources to tackle security problems from a higher tactical and strategic perspective.
The extortion aspect of these attacks, and the fact that user security awareness training cannot necessarily prevent server-side malware attacks, has security experts sounding the warning bell for all organizations to take their cyber protection seriously. Had the city of Atlanta implemented MSS and Advisory services, this attack may have been prevented and the extent of the damage mitigated.