gizmodo | City officials in Atlanta, Georgia are still trying to recover 10
days after a ransomware attack on municipal computer systems hit at
least five out of 13 departments, knocking out some city services and forcing others to revert to paper records.
Per Reuters,
over a week has passed since the SamSam ransomware began spreading
throughout city computer systems, with a $51,000 ransom payment demanded
by the hackers going unpaid. While the recovery began last week,
large stretches of computer systems remain encrypted by the attackers.
Three city council members were sharing a single old laptop over the
weekend as they tried to reconstruct records, with councilman Howard
Shook telling the news agency the situation was “extraordinarily
frustrating.”
According
to the Reuters report, numerous local officials have found their file
systems corrupted, with tags like “weapologize” and “imsorry” appended
to document titles. Though the ransomware was not able to corrupt
everything—just eight out of 18 computers in the auditors’ office were
affected, for example—it sounds like much of the information may be
unrecoverable:
“Everything on my hard drive is gone,” City Auditor Amanda Noble said in her office housed in Atlanta City Hall’s ornate tower.
City officials have not disclosed the extent to which servers for backing up information on PCs were corrupted or what kind of information they think is unrecoverable without paying the ransom.
...
Atlanta police returned to taking written case notes and have lost access to some investigative databases, department spokesman Carlos Campos told Reuters. He declined to discuss the contents of the affected files.
The
SamSam ransomware is particularly advanced and “infiltrates by
exploiting vulnerabilities or guessing weak passwords in a target’s
public-facing systems,” then uses techniques like the Mimikatz password
recovery tool to seize control of the rest of a network, according to Wired.
That means attackers don’t need to launch social engineering attacks or
trick users into running malware for it to spread, and SamSam can
easily spread via “remote desktop protocols, Java-based web servers,
File Transfer Protocol servers, and other public network components.”
The city was just beginning to implement some of the recommendations of a cybersecurity audit released in January
that found “the large number of severe and critical vulnerabilities
identified has existed for so long the organizations responsible have
essentially become complacent and no longer take action,” per CBS. The
audit said that “departments tasked with dealing with the thousands of
vulnerabilities do not have enough time or tools to properly analyze and
treat the systems,” leading to a “significant level of preventable risk
exposure to the city.”
“Ransomware is dumb,” Parameter Security founder Dave Chronister told Wired.
“Even a sophisticated version like this has to rely on automation to
work. Ransomware relies on someone not implementing basic security
tenets... Not to be harsh, but looking at this their security strategy
must be pretty bad.”
