Lessons Learned from Atlanta’s Ransomware Attack

In mid-March of 2018, the city of Atlanta’s digital systems sustained an attack by the ransomware virus SamSam. Rather than relying on phishing or other online scams, SamSam plays the numbers, setting its sights on universities, hospitals, and local governments, which often fail to follow the most basic security best practices. By demanding “manageable” ransoms based on what they believe targets will be able to pay, SamSam takes in millions per year, giving hackers plenty of reason to persist. The recent attack in Atlanta has been particularly disruptive. Five of the city’s thirteen local government departments were affected: Online bill paying functions and sewer infrastructure requests were brought down, the court system was incapacitated, and the police were forced to file paper reports until their records were brought back online. After an initial ransom of around $50,000 was demanded, the hackers revoked access to the payment portal that would have been used to render the payment, and the city to date has paid out nearly 3 million dollars in taxpayer money to resolve the situation.

To Pay or Not to Pay?

Whether or not to pay ransoms is far from a straightforward proposition. The FBI officially discourages the paying of ransoms to hackers to discourage them from carrying out such attacks; however, that reasoning may be flawed. There is little to stop hackers from moving on to the next target, and they will always find an organization or company that is willing to pay just to make the problem go away. On the other hand, if victims do pay, there is no guarantee that the hackers will ever provide access to the decryption keys, and they may wind up paying a security firm anyway. PR is another factor that companies and organizations must take into account when considering whether to pay a ransom. If news of an attack surfaces, customers may fear that their information has been compromised and decide to take their business elsewhere. Downtime, the effect on sales or operations, and the threat of reputation damage may be enough to make targets simply bite the bullet, pay the ransom, and hope for the best. And the prospect of recovering a system from a backup and its associated costs may be another reason to pay the ransom and fortify security once control is restored.

Atlanta’s Costly Mistake

With strapped budgets, municipalities often fail to prioritize the security of their data. It’s difficult to envision the chaos that will ensue after a ransomware attack until it actually happens—and then it’s too late. As the saying goes, hindsight is always 20/20, but the ransomware attack on Atlanta was definitely preventable, and at a cost that would have been worthwhile and manageable. The success of a ransomware attack depends largely on the lack of having basic, standard protections in place. For as little as 10 percent of the almost $3 million the city spent to recover their systems, they could have had a bulletproof solution in place that would have nearly eliminated the danger posed by SamSam. Crisis communication and emergency services alone totaled 1.3 million dollars. The remainder of the funds were spent on incident response and digital forensics, additional staffing, and Microsoft Cloud infrastructure experts, all to simply restore the functionality that was in place before the attack.

How to Defend Against a Ransomware Attack

Remember that ransomware scouts for easy targets. For every organization that falls victim to ransomware, there are potentially hundreds or thousands of others that it was unable to infiltrate. There are some basic best practices that every organization should follow in order to avoid blatant attempts to hack into computer systems. Employees should be trained to avoid clicking on links in emails from unknown sources or those that otherwise appear suspicious. A system can even be infiltrated via phony ads or social media links, so everyone needs to be careful where they click. It should go without saying that “Password” is an unacceptable password; all passwords should include upper and lowercase letters, numbers, and symbols. All systems should be continually updated with the latest software to eliminate becoming a target of known vulnerabilities. Your security defenses should be multi-layered, as no one solution can protect your systems completely. You may require separate solutions to address email security, web filtering, and intrusion prevention. If one of these methods fails, the others can provide a safety net. Having a solution in place to back up your data is a necessity. The method you use should back up every machine, your servers, and even your operating system, applications, services, and configuration settings. In the case that you need to start from scratch after an attack, your backup system should restore everything to the way it was, as if nothing had ever happened.

Lessons Learned

Hacking is becoming a more and more lucrative business, and ransomware is constantly getting smarter. A ransomware attack can be truly devastating to a business or organization, and the damage can take months or even years to recover from. Protecting your systems should be seen as a long-term investment that will pay for itself over time. Taking a proactive approach to security is part of taking responsibility for your business. Putting your data at risk is akin to putting your customers, constituents, or shareholders, or even your entire company or organization at risk. Using a solid, multilayered defense strategy and backing up your systems truly costs a fraction of what it takes when your system is eventually compromised. Above all, it also buys you peace of mind, which is truly invaluable.