On March 22, the city of Atlanta was brought to its knees by a ransomware attack. CNN reported that the malicious incident affected at least five of the city’s municipal departments, effectively locking down key functions for the police, courts, and more. The attackers asked for the $51,000 ransom to be paid in the bitcoin cryptocurrency. According to the Atlanta Journal-Constitution, the city had declined to say whether it had made this payment as of April 12, and the overall estimated cost of the breach was at $2.7 million and climbing.
Not If, But When
In coverage of the incident, news sources indicated the city had known for years of its security vulnerabilities and lack of a solid approach to business continuity and disaster recovery planning. The reality of these concerns is now upon municipal employees and citizens as everyone struggles to complete everyday tasks without computer access. The fact that Atlanta had just begun to address the recommendations from its January cybersecurity audit is especially heartbreaking.
What Happened Behind the Scenes
The vulnerabilities in the city’s infrastructure were no match for the SamSam ransomware, which tag teams with tools such as Mimikatz to detect weak passwords and take control of networks. In this way, SamSam can move throughout a network quickly without the need to propagate via employee’s email accounts, as occurs in some ransomware schemes. SamSam also interfaces with tools including JexBoss to find unpatched servers running Red Hat® JBoss® solutions. Once inside these locations, the hackers can implement scripts that cull credentials and other information. Finally, the ransomware encrypts files, and the hackers demand their payment.
It Could Have Been Prevented
Disruptive and costly ransomware attacks like what the city of Atlanta is experiencing are all too common. No doubt the cybersecurity issues the city was in the process of addressing would have included solutions such as those HelpSystems customers rely on every day.
Powertech Antivirus runs natively on Red Hat and other major Linux distributions to detect and clean ransomware and malware like SamSam and Mimikatz. HelpSystems risk assessment engagements do a full patch audit on your Linux systems and identify any missing updates which can leave your organization vulnerable to attack.
Security Auditor has a feature for automatically detecting unapproved system services. The solution discovers unwanted programs running in your environment and immediately terminates them, limiting the chance of damage and data leaks.
Event Manager provides centralized logging and auditing of the security alerts and events within your environment. By normalizing the various data streams and prioritizing the criticality of security events, you can quickly and clearly identify security incidents and take the appropriate steps to secure your environment and resolve the issue.