For over a week, Atlanta made national headlines, but not for the reasons you’d think. Not sports nor mumble rappers, or whatever else goes on there, but for falling victim of a Ransomware attack. Credits given to”SamSam”. Chalk up another organization, wait, this is a city. A city? If anything, you must give these actors credit for raising their standards.
SamSam rose to spotlight in 2016, as it separated itself from other variants of Ransomware (e.g. Cryptolocker, TelsaCrypt) and began catching the attention of the security community. Other malware variants that are typically introduced via phishing still require a user interaction to execute and become functional. SamSam focused more on remote execution and exploiting vulnerabilities in systems. Once the environment (company) is a target, SamSam, begins scanning and exploiting it from outside the network, searching for vulnerabilities in Jboss and RDP. Once exploited and access is consistent, the ransomware is deployed. Pretty neat actually. Secureworks has a great write-up on SamSam.
The city, still can’t believe I’m saying that, the city of Atlanta has yet to release details on the root cause or initial attack vector. We do know that the attackers demanded $50,000 in bitcoin. What we also know, courtesy of “WSP-TV Atlanta“, that the city shelled out $2.7 million to combat the threat. Dell Secureworks was that main benefactor, with the price tag of $650,000, with others companies such as Ernst & Young.
What does this mean? Well, as #blueteam my thoughts are optimistic. If the city can afford to pay out $2.7 million, it signals that they don’t plan to have a repeat of this attack. Many of us know legacy systems are still in play by many big cities across the globe and if you’ve ever worked in a SOC or security team you understand the fight with #sysadmins and the business to upgrade these systems. My prediction is that these attacks will continue and major U.S. cities should take notice of what’s happened in the peach state.