2.5 Tracking a moving target
Security is an ever-changing topic. New technologies are always being introduced and they bring new risks, or allow old threats to resurface in a new form.
Old technologies are retired by manufacturers, potentially leaving their users exposed to danger as bugs and security weaknesses remain unaddressed. And there are new threats being discovered every day, such as the WannaCry ransomware attack of 2017 or the more recent SamSam ransomware attack that shut down services across the city of Atlanta.
On 22nd March 2018, Atlanta, Georgia was hit by a cyber attack which rendered parts of the city’s government inoperable. The attack was in the form of a piece of malicious software (malware) called SamSam. This is a piece of ransomware – a program that stops users accessing their data until they pay a ransom, usually in a cryptocurrency such as Bitcoin, to receive the keys needed to unlock their data. SamSam demanded a ransom of $51,000; payable in seven days or the data would never be recoverable. Some reports say that the address needed to pay the ransom was made unavailable shortly after the attack; but in any case, there is no evidence that the city paid SamSam’s creators.
The attack on Atlanta created a range of problems, it prevented citizens from paying for basic services such as water and parking; the city stopped taking employment applications; business licences could not be issued; court warrants could not be validated; and the malware crippled the city’s police computers requiring officers to hand write crime reports. As well as these direct problems, other parts of the city’s infrastructure – such as the wireless network at the gigantic Atlanta International airport – were shut down as a precautionary message. More than two weeks after the outbreak, the city was still struggling to restore some services and it is clear that some data was rendered permanently inaccessible.
SamSam spreads on networked computers connected to the internet rather than through emails. Many of the computers that have been infected run Microsoft’s Remote Desktop Protocol (RDP) which allows users to connect to other computers over a network. The most vulnerable computers are those that have been misconfigured or running out-of-date software. It appears that SamSam’s owners manually attack these computers before installing SamSam – there are some suggestions that part of Atlanta’s computer systems were compromised by SamSam’s owners during 2017, although they took no action until March. Once activated, SamSam spreads rapidly across the company’s network before locking the data, ensuring that hundreds, if not thousands of computers are crippled – increasing the likelihood that the ransom will paid.
Like many big organisations, Atlanta faces the problem that it cannot function without many different computer systems, managed by many different teams with unclear responsibilities. Like other organisations, Atlanta has not made adequate investment in computer security training and preventative measures to protect against security threats (the same problems were found in the NHS after the WannaCry attack). Indeed, an earlier audit had warned that the city was at risk from cyber attack, but this was not fixed.
Atlanta spent more than $2.6 million on emergency measures recovering from SamSam. The cost included extra staffing, the need to buy additional computer infrastructure from Microsoft as well as consultancy fees and emergency communications.
It is highly unlikely that Atlanta will be SamSam’s last victim. Its unknown developers continue to release new versions of the malware, so it is likely another organisation will be harmed. Fortunately, up-to-date antivirus software can identify and destroy most forms of SamSam, so ensure you have antivirus running on your computers and that it is receiving the latest updates.