Many of you are aware of the famous ransomware cyberattack on the City of Atlanta that occurred over a year ago, but you may not understand how it worked out. SamSam is a specific type of ransomware that is known for gaining entry by scanning the network for passwords or other entry data used by vendors or employees to force access by guessing passwords from information they found. The ransomware then encrypted any applications or data it could access using separate keys across the network, at which point the attackers demand payment for each key. If payment is not received after a short period of time, and often even when payment is received, the attackers destroy the keys, preventing almost any attempt at recovery.
In the City’s case, close to one third of the total applications were affected in addition to a large amount of police dashcam footage and court documents. Atlanta followed the advice of the FBI and Department of Homeland Security, refusing payment to the attackers. These agencies and other outside firms assisted the City in the restoration of critical applications as well as the recovery of the encrypted files to the point of normal operations.
While in some cases certain entities are specifically targeted, often the victims are the target of random chance as the group of attackers have members responsible for scanning long lists of networks in search for this information, only pursuing further if some information is found. It is not exactly known if the City was specifically targeted by this group; however, two months prior to the attack, the City received an Information Security Management System (ISMS) audit report noting several issues that would prevent the City’s system from passing a certification audit as well as some recommendations to resolve these issues. It’s entirely possible that these attackers stumbled across one of these weaknesses scanning through hundreds of IP numbers.
The effect of cyberattacks can be quite costly. Stated in the Management’s Discussion and Analysis on the 2018 Comprehensive Annual Financial Report for the City, approximately $7 million was spent related to the cyberattack, with another $3.5 million estimated in the approved 2019 budget for IT upgrades and cyberattack response.
As technology grows, and the reliance on IT infrastructure and controls grows with it, it’s important to understand how attacks could affect your systems and whether it’s time to look into improving your own systems. Here are some questions to your internal or external IT services to give you some insight into your level of vulnerability:
- How often is our data backed up?
- Are our backups on our network or someone else’s?
- Who can modify user rights?
- When was the last time a user rights report for essential applications was reviewed?
- Are any accounts admin or otherwise using default passwords?
- What applications do vendors or customers have access to?
- Do vendors or customers have access to any non-application part of our networks?
- How does ransomware affect applications on a cloud network?
- Are there any general user accounts shared by employees, vendors or customers?
- If our system goes down, how long can we continue day-to-day operations without access to the network?
These are all good points to keep in mind to keep your government’s information safe.
Do you still have any questions? Feel free to reach out to a Henry+Horne professional to help assist you.