It’s more a question of when than if when it comes to ransomware. If corporations and government entities don’t allocate resources to hardening cyber defenses, these seemingly inevitable attacks can be very costly. The city of Atlanta found that out the hard way in 2018.
Despite being warned multiple times over several years, Atlanta did not make any updates to their computer network to mitigate vulnerabilities, and they paid for it as victims of a cyberattack that shut down the city’s online systems for five days. The attack was uncovered on March 22, 2018, at 5:40 a.m., when the Department of Atlanta Information Management first learned of outages on internal and customer applications, such as online apps used to pay water bills.
Many city services and programs were affected by the attack, such as utility, parking and court services. City officials were forced to fill out paper forms by hand, court dates had to be rescheduled and any applications for jobs with the city were suspended. The free Wi-Fi at the Hartsfield-Jackson Atlanta International Airport, which serves millions of passengers every year, was still compromised after the initial five days. The attack didn’t, however, affect public safety services such as 911 or water services.
“I just want to make a point that this is much bigger than a ransomware attack. This really is an attack on our government, which means it’s an attack on all of us,” said Atlanta Mayor Keisha Bottoms at a press conference on March 26, 2018.
The group behind it
The city hired threat researchers from Secureworks, a Dell subsidiary, and Cisco Security to help respond to the cyberattack. They found that the hacker group SamSam was behind the ransomware attack. Since 2015, the SamSam group has targeted multiple industries, including some within critical infrastructure. While their victims on U.S. soil ranged from the Colorado Department of Transportation to the Erie County Medical Center, they launched international attacks, as well.
At first, no one knew where the group was from, but many assumed English was not their first language due to their poorly written ransom notes. The threat researchers were also unaware how many people were involved with SamSam. Later, it was found that two men from Iran had made SamSam, and they were indicted by the U.S. in November 2018.
“The Iranian defendants allegedly used hacking and malware to cause more than $30 million in losses to more than 200 victims,” said Deputy Attorney General Rod Rosenstein in a U.S. Department of Justice press release. “According to the indictment, the hackers infiltrated computer systems in 10 states and Canada and then demanded payment. The criminal activity harmed state agencies, city governments, hospitals and countless innocent victims.”
How the Atlanta attack worked
In some cases of ransomware, a victim will open an email or click on a link that allows the attacker access to their system. The kind of attack SamSam used was very different. They had long-term plans for attacks and were more subtle. In fact, the group had access to Atlanta’s systems long before the actual attack.
“By the time the hack’s happened, it’s already too late,” said David Masson, director of enterprise security at Darktrace. “What we keep discovering with ransomware is, by the time they’ve actually encrypted whatever it is … you discover they’ve actually already been on there for a long, long time, and nobody saw them at all. The damage had already been done before the actual real damage gets done.”
According to a Cybersecurity and Infrastructure Security Agency (CISA) alert, “Detecting RDP (remote desktop protocol) intrusions can be challenging because the malware enters through an approved access point. After gaining access to a particular network, the SamSam actors escalate privileges for administrator rights, drop malware onto the server and run an executable file, all without victims’ action or authorization.” Because these types of attacks often go unnoticed for such a long time, it is harder for people to pinpoint the problem, and this allows the attacker to strike again in the future more easily.
In an article from The New York Times, Alan Blinder and Nicole Perlroth wrote, “Part of what makes the attack on Atlanta so pernicious are the criminals behind it: A group that locks up its victims’ files with encryption, temporarily changes their file names to ‘I’m sorry’ and gives the victims a week to pay up before the files are made permanently inaccessible.”
SamSam was known to attack organizations that provide essential functions and must resume operations quickly, and, therefore, are more likely to pay larger ransoms. “The allegations in the indictment unsealed today — the first of its kind — outline an Iran-based international computer hacking and extortion scheme that engaged in 21st-century digital blackmail,” said Assistant Attorney General Brian Benczkowski in a U.S. Department of Justice press release. Their usual ransom demand was around $50,000 through bitcoin; they asked the city of Atlanta for $51,000.
“Threat actors know that if you really want to cause some damage, attack the critical national infrastructure (CNI) of a country because the CNI is almost certainly being run by OT (operational technology), and you can really do some damage there,” Masson said. “If they can ransomware an OT system, it’s on the basis of they know that the organization can’t afford to have production halted or changed or interrupted in any kind of way. Maybe the easiest solution to get things back to normal will be — take a wild guess — pay the ransom, and that’s why they go after them. It’s the same reason that attackers go after things like municipalities and hospitals. People have a big drive to maintain that service, and perhaps the easiest way to maintain that service is to pay the ransom.”
In the end, Atlanta ended up spending millions of dollars trying to fix what had been broken rather than investing in the city’s cybersecurity to begin with.
One might think this attack on Atlanta would have been a wake-up call for the U.S. considering it affected up to 6 million people. Yet today, there are more cyberattacks than ever. For example, major companies like the Colonial Pipeline, JBS Foods and Kia Motors were all infiltrated this year — and those are just the ones we know about. There are many more that go unreported. According to an annual report on global cybersecurity, there were a total of 304 million ransomware attacks worldwide in 2020, which was a 62% increase from 2019.
“As elected officials, it’s often quite easy for us to focus on the things that people see, because at the end of the day, our residents are our customers,” Bottoms said. “But we have to really make sure that we continue to focus on the things that people can’t see, and digital infrastructure is very important.”
While there are steps being taken now, such as the National Security Memo outlining how to achieve a more secure critical infrastructure, the U.S. shouldn’t wait until another attack pops up to focus on cybersecurity as a main priority.