Wired discusses the recent Atlanta ransomware attack and how actors leveraging SamSam are selective about their targets, often choosing organizations it believes will end up paying the ransom:
Attackers deploying SamSam are also known to choose their targets carefully—often institutions like local governments, hospitals and health records firms, universities, and industrial control services that may prefer to pay the ransom than deal with the infections themselves and risk extended downtime. They set the ransoms—$50,000 in the case of Atlanta—at price points that are both potentially manageable for victim organizations and worthwhile for attackers.
And unlike some ransomware infections that take a passive, scattershot approach, SamSam assaults can involve active oversight. Attackers adapt to a victim’s response and attempt to endure through remediation efforts. That has been the case in Atlanta, where attackers proactively took down their payment portal after local media publicly exposed the address, resulting in a flood of inquiries, with law enforcement like the FBI close behind.
From an attackers point-of-view, it is just smart business to set the ransom price at a point within reach for the victim. The actors are banking on the victims believing it is far more expedient and less expensive to pay the ransom rather than endure a lengthy outage.
Although it appears easier to pay a ransom to rapidly resume operations, the overall economics of a ransomware attack are not that simple. Even if a victim pays a ransom they will need to essentially rebuild their entire network from the ground up to ensure they completely eradicate any trace of the attackers. Merely paying a ransom does not guarantee the actors did not leave a backdoor somewhere within the network.
Performing a cost-benefit analysis is important in these situations, weighing the difference in lost revenue due to the ransomware attack, lost productivity, cost to pay the ransom versus cost to remediate the infection. This is no easy task, with no black-and-white answer. The chosen route ultimately depends on the business and the types of daily operations it undertakes. Ransomware attacks are not one size fits all.
In the specific case of Atlanta, it sounds like mission critical data was encrypted in the ransomware attack. That the city cannot recover this data through local or cloud-based backups demonstrates a situation faced all too often: lack of proper foresight and planning. Had the city safely stored mission critical data off site in addition to its local storage, then forgoing payment and merely rebuilding would be an easy choice. But it seems the situation is much more complicated.
The City also suffered a cyberattack in April 2017, which exploited the EternalBlue Windows network file sharing vulnerability to infect the system with the backdoor known as DoublePulsar—used for loading malware onto a network. EternalBlue and DoublePulsar infiltrate systems using the same types of publicly accessible exposures that SamSam looks for, an indication, Williams says, that Atlanta didn’t have its government networks locked down.
“The DoublePulsar results definitely point to poor cybersecurity hygiene on the part of the City and suggest this is an ongoing problem, not a one time thing.”
Though Atlanta won’t comment on the details of the current ransomware attack, a City Auditor’s Office report from January 2018 shows that the City recently failed a security compliance assessment.
This is the issue: Atlanta lacks the necessary security professionals to keep the systems IT assets safe from modern attacks. This is a good lesson to be learned for other similar city governments. Get your act together and ensure security is a priority and baked into IT operations otherwise expect successful attacks to continue to hinder operations.