SamSam Ransomware Does Not Stop. The City of Atlanta is Its Newest Victim

Fewer file-encrypting ransomware infections are attacking individual users, but more of them are now being targeted at organizations, businesses, and government-level institutions. SamSam Ransomware is an infection that our researcher team has reported several times already, and that is because it continues attacking vulnerable organizations in the United States. Last month, the threat invaded the systems of the Colorado Department of Transportation. A month before that, the threat successfully invaded the systems that belonged to the Hancock Health Hospital in Greenfield. The attackers were successful as the hospital chose to pay the $55,000 ransom. The infection had encrypted 1,400 files that represented patients’ files, and so the hospital decided to obey the demands made by cyber criminals. The latest victim of the malicious SamSam Ransomware is the city of Atlanta.

atlanta1

Researchers at Trend micro first reported the attack on March 23rd, when it was revealed that SamSam Ransomware invaded the systems that were controlling Atlanta’s local services. The Mayor’s Office of Communications was quick to report the attack and reveal the issues that emerged because of it. It was reported that the infection affected the systems of the Municipal Court, which led to the court’s inability to process ticket payments, validate warrants, or hold any hearings. The Department of Human Resources was affected as well, due to which, applications for new employment were suspended. All employees were informed about the attack promptly, and they were instructed to turn off computers immediately. At the time of research, it was reported that the city partnered up with Microsoft to resolve the issues as fast as possible to ensure that all systems were back up and running again as per usual. Trend Micro also reported that Cisco, the Department of Homeland Security, and FBI joined the investigation.

pc

SamSam Ransomware has been capable of invading servers that used weak passwords, or that were easily accessible because passwords were stolen. According to Forbes, this is how the city of Atlanta was hit as well, which started its attack by invading a vulnerable server. After spreading throughout the network and invading multiple computers, the attackers behind the ransomware demanded a ransom of 6 Bitcoins. Because Bitcoin is not a stable cryptocurrency, it is hard to say exactly how much that is at the time you are reading; however, at the time or research, 6 Bitcoins converted to $47,318. On Monday, mayor Keisha Lance Bottoms could not answer yet whether or not the ransom would be paid; however, on Tuesday, the systems were back up again. No information regarding the payment of the ransom has surfaced, but, at this point, it is unknown if paying the ransom is even an option. That is because the attackers behind SamSam Ransomware deleted the city’s contact form after it was exposed to the public.

According to the analysis by RenditionSec, the city’s network was extremely vulnerable due to the lack of multi-factor authentication, and it was also discovered that the city had at least 5 different systems compromised in April 2017, which suggests that no security patches were applied before the attack of SamSam Ransomware. Without a doubt, this is a faux pas that looms over the head of the city’s IT department. Hopefully, they learn from their mistakes and take better care of the network in the future. When it comes to protecting the systems against ransomware and other malicious threats, it is most important to install reputable anti-malware software, as well as to keep up with the latest updates and apply all security patches. Backing up data is also strongly recommended because if ransomware attacks and encrypts files, they can be recovered from backup, and paying the ransom is not something that needs to be considered at all. It must be noted that paying the ransom is extremely risky because cyber criminals cannot be held accountable, and no one can force them to decrypt data after the payment is made.

References

Mathews, L. March 23, 2018. City of Atlanta Computers Hit by Ransomware Attack. Forbes.
Mayor’s Office of Communications. March 23, 2018. Mayor Keisha Lance Bottoms Provides Update on City of Atlanta Ransomware Cyberattack. Atlantaga.gov.
Ragan, S. March 27, 2018. SamSam group deletes Atlanta’s contact portal after the address goes public. CSO.
RenditionSec. March 27, 2018. Atlanta government was compromised in April 2017 – well before last week’s ransomware attack. Renditioninfosec.
Trend Micro. March 23, 2018. SAMSAM Ransomware Suspected in Atlanta Cyberattack. Trend Micro.