The latest victim in 2018's slew of SamSam ransomware infections is the city of Atlanta. Here's what you need to know.
Atlanta city officials held a press conference on Thursday to confirm the city is actively grappling with a ransomware infection, resulting in loss of access to files and outages to several online systems and services.
According to Atlanta Chief Operations Officer Richard Cox, who happens to be in his first week on the job, the infection was discovered at 5:40am on Thursday and appears to be primarily impacting services related to paying city bills and accessing court information online. The good news is the city's website remains online and critical infrastructure such as the city's public safety systems, water services, and local airport are all operating without incident.
The City of Atlanta is currently experiencing outages on various customer facing applications, including some that customers may use to pay bills or access court-related information. We will post any updates as we receive them. pic.twitter.com/kc51rojhBl— City of Atlanta, GA (@Cityofatlanta) March 22, 2018
A screenshot of one of the ransom notes left behind during the infection reportedly reveals attackers are demanding payments of $6,800 in exchange for decrypting files on each infected computer. Alternatively, the note also offers the city the option of paying $51,000 in exchange for decryption keys for all the computers infected during the attack.
When asked whether the city plans to pay the ransom, Atlanta Mayor Keisha Lance Bottoms didn't immediately rule out the option, stating, "We will be looking for guidance from specifically our federal partners."
The city is working with the FBI and the Department of Homeland Security, along with incident response teams from Microsoft and Cisco in order to determine the source of the infection and how best to respond to the attack.
According to experts who have reviewed the ransom note, there are similarities that suggest the ransomware involved in the attack is SamSam, a strain of ransomware that has increasingly active this year, most recently infecting the Colorado Department of Transportation (CDOT) not once but twice in February.
If the ransomware involved is in fact SamSam, that provides clues as to possible infection vectors, as well. SamSam has a history of infecting servers that have been left exposed to the Internet, primarily via RDP brute force attacks or via exploits targeting specific vulnerabilities.
Researcher @Ring0X0 appeared to confirm the city had a server with SMBv1 exposed to the Internet, making use of EternalBlue — the exploit used to spread WannaCry and NotPetya — one possibility for how this infection took hold.
While additional details are gathered on this attack, here are five key things you need to know about SamSam, along with recommendations for keeping your organization safe.
This isn't the first attack on a local government the criminals behind SamSam have conducted. In January, the municipality of Farmington, NM was also infected. On February 16, Davidson County in North Carolina was hit. Colorado's Department of Transportation (CDOT) was infected not once, but twice in the span of eight days.
SamSam was originally discovered in 2016, when attackers used it in attack campaigns primarily targeting healthcare organizations with vulnerable JBoss application servers. After experiencing initial success targeting the healthcare industry, attackers expanded their campaigns to attack schools and government organizations, as well.
In 2017, SamSam resurfaced, this time targeting organizations with Remote Desktop Protocol (RDP) connections exposed (more on RDP later). One prominent victim, Erie County Medical Center, was infected with SamSam in April 2017 and wasn't able to fully recover until three months later, at the price of $10 million in recovery costs.
After a comparatively quiet latter half of 2017, SamSam activity began picking back up in late Q4 and has continued to increase through to the present. Over a period of just four weeks in late December and early January, attackers accumulated $325,000 in Bitcoin in just one of potentially several Bitcoin wallets they may be maintaining.
SamSam ransom note left behind after infecting the City of Farmington, NM in January 2018. Source: Daily Times
The criminals behind SamSam have a history of conducting targeted attacks against healthcare and government organizations. One reason is that organizations in these spaces are generally considered to be understaffed and underfunded when it comes to cybersecurity, and many face considerable logistical challenges when it comes to keeping software and systems secure and up-to-date.
Other reasons, however, may be that these organizations have little tolerance for downtime, and that — due in part to regulation — any security incidents they suffer quickly become public events. Both of those factors apply additional pressures on victims when it comes to deciding whether or not to pay the ransom.
Criminals have had success infecting victims in both verticals who are willing to pay, and as long as they continue to have that success, healthcare providers and government organizations will continue to be the targets of increasing attacks.
Unlike many ransomware strains, SamSam doesn't rely on tricking employees into clicking on links or email attachments they shouldn't. Instead, the attackers behind SamSam tend to target vulnerable/exposed servers they can gain access to via weak/stolen credentials.
They aren't alone in using this approach. Identifying systems with open ports and RDP connections or other vulnerable services exposed has become a very popular attack tactic, and it's made incredibly easy thanks to scanning tools like Shodan and masscan.
Once they have access, attacks deploy SamSam manually, often utilizing legitimate system tools and resources such as PsExec, Wmic.exe, and others to install the ransomware throughout the victim organization's network.
To prevent attackers from gaining access to servers via RDP, make sure you're doing the following:
In each of these incidents, the inherent limitations of traditional antivirus solutions have been on full display.
The clearest example are the attacks on the Colorado Department of Transportation, which was first infected with SamSam on February 21, despite having McAfee antivirus installed on its machines. McAfee responded by updating its software with a new signature designed to block that particular variant of SamSam.
Just eight days later, however, the attackers proved how trivial it is to make small changes and release new malware variants to evade signature-based detection. They infected the CDOT a second time, causing a spokesperson from the Colorado Office of Information Technology to respond, "We had 20 percent of the computers up and running when our security tools detected malicious activity. And sure enough the variant of SamSam ransomware just keeps changing. The tools we have in place didn't work. It's ahead of our tools."
Barkly blocks SamSam infections before files can be encrypted. Click to expand.
Today's advanced attacks routinely bypass antivirus. To stop them, organizations need to invest in smarter, stronger endpoint security that has the ability to block not just executables, but malicious activity in real-time.
Barkly provides defense-in-depth against SamSam and other ransomware. It utilizes a patented combination of machine learning and real-time behavioral analysis in order to recognize and block ransomware payloads AND the types of behaviors ransomware relies on to execute. As a result, Barkly blocks ransomware attempts before any files are encrypted or any damage is done.
Learn how to identify the gaps in your organization's security, and find out why it may be time to make a switch from AV. Download our AV gap analysis.
Get the latest security news, tips, and trends straight to your inbox.
Get the latest security news, tips, and trends straight to your inbox.