Avoid being held to ransom by SamSam

Atlanta City Hall's doors: Not much use when the crooks are coming in through your network

The City of Atlanta is currently experiencing outages on various customer facing applications, including some that customers may use to pay bills or access court-related information. We will post any updates as we receive them. pic.twitter.com/kc51rojhBl

— City of Atlanta, GA (@Cityofatlanta) March 22, 2018

On 22^nd March, Atlanta, Georgia was hit by a cyber attack which rendered parts of the city’s government inoperable. The attack was in the form of a piece of malicious software (malware) called SamSam. This is a piece of ransomware – a program that stops users accessing their data until they pay a ransom, usually in a cryptocurrency such as Bitcoin, to receive the keys needed to unlock their data. SamSam is far from the first piece of ransomware, you may remember the WannaCry attack that badly affected the NHS during July 2018, but it is another example of just how vulnerable our networked world is to security threats.

SamSam demanded a ransom of $51,000; payable in seven days or the data would never be recoverable. Some reports say that the address needed to pay the ransom was made unavailable shortly after the attack; but in any case, there is no evidence that the city paid SamSam’s creators.

The attack on Atlanta created a range of problems, it prevented citizens from paying for basic services such as water and parking; the city stopped taking employment applications; business licences could not be issued; court warrants could not be validated; and the malware crippled the city’s police computers requiring officers to hand write crime reports. As well as these direct problems, other parts of the city’s infrastructure – such as the wireless network at the gigantic Atlanta International airport – were shut down as a precautionary message. More than two weeks after the outbreak, the city was still struggling to restore some services and it is clear that some data was rendered permanently inaccessible.

SamSam has been around in one form or another since 2016. A leading security company, SecureWorks identifies its creators as a hacking group going by the name GOLD LOWELL. This group appears to scan the internet for vulnerable computers belonging to governments and healthcare providers before running a concerted campaign to infiltrate corporate networks. By some estimates, GOLD LOWELL has used SamSam to raise more than $850,000 from its victims since late 2017.

SamSam spreads on networked computers connected to the internet rather than through emails. Many of the computers that have been infected run Microsoft’s Remote Desktop Protocol (RDP) which allows users to connect to other computers over a network. The most vulnerable computers are those that have been misconfigured or running out-of-date software. It appears that SamSam’s owners manually attack these computers before installing SamSam – there are some suggestions that part of Atlanta’s computer systems were compromised by SamSam’s owners during 2017, although they took no action until March. Once activated, SamSam spreads rapidly across the company’s network before locking the data, ensuring that hundreds, if not thousands of computers are crippled – increasing the likelihood that the ransom will paid.

Like many big organisations, Atlanta faces the problem that it cannot function without many different computer systems, managed by many different teams with unclear responsibilities. Like other organisations, Atlanta has not made adequate investment in computer security training and preventative measures to protect against security threats; (the same problems were found in the NHS after the WannaCry attack). Indeed, an earlier audit had warned that the city was at risk from cyber attack, but this was not fixed.

This week, we learned that Atlanta spent more than $2.6 million on emergency measures recovering from SamSam. The cost included extra staffing, the need to buy additional computer infrastructure from Microsoft as well as consultancy fees and emergency communications.

It is highly unlikely that Atlanta will be SamSam’s last victim. Its unknown developers continue to release new versions of the malware, so it is likely another organisation will be harmed. Fortunately, up-to-date antivirus software can identify and destroy most forms of SamSam, so ensure you have antivirus running on your computers and that it is receiving the latest updates.

• If you are unlucky enough to be affected by ransomware, the advice from police and security professionals is unanimous – do not pay the ransom. Many pieces of ransomware either do not come with the necessary unlocking facilities; or are badly bugged and cannot decrypt the scrambled files. So you will have lost money and your data.
• Instead, take preventative action: ensure your computer’s operating system is up-to-date and receiving updates. Install antivirus software and keep it current. Ensure your key applications are also kept up-to-date.
• Be wary of unsolicited email messages requesting personal information or asking you to log in to an account (such as a bank, online shop, iTunes, Facebook or the like). These phishing messages are likely to be fakes sent by criminals, and whilst they might not carry malware, they might form part of a much larger campaign. Providing the sender of the email with some personal information – such as name, address, password and the like – allows them to target you, or your employer, with more sophisticated attacks that may include malware.

Links

Protecting your organisation from ransomware by the National Cyber Security Centre (GCHQ) 

More about SamSam

• https://www.secureworks.com/research/samsam-ransomware-campaigns
• https://blog.talosintelligence.com/2016/03/samsam-ransomware.html?m=1       
• https://blog.talosintelligence.com/2018/01/samsam-evolution-continues-netting-over.html

Atlanta’s spending to fix SamSam

• http://procurement.atlantaga.gov/awarded-emergency-procurements/