SamSam Ransomware Attack on the City of Atlanta’s Government Systems

City officials in Atlanta, Georgia are still trying to recover 10 days after a ransomware attack on municipal computer systems hit at least five out of 13 departments, knocking out some city services and forcing others to revert to paper records.

Per Reuters, over a week has passed since the SamSam ransomware began spreading throughout city computer systems, with a $51,000 ransom payment demanded by the hackers going unpaid. While the recovery began last week, large stretches of computer systems remain encrypted by the attackers. Three city council members were sharing a single old laptop over the weekend as they tried to reconstruct records, with councilman Howard Shook telling the news agency the situation was “extraordinarily frustrating.”

According to the Reuters report, numerous local officials have found their file systems corrupted, with tags like “weapologize” and “imsorry” appended to document titles. Though the ransomware was not able to corrupt everything—just eight out of 18 computers in the auditors’ office were affected, for example—it sounds like much of the information may be unrecoverable:“Everything on my hard drive is gone,” City Auditor Amanda Noble said in her office housed in Atlanta City Hall’s ornate tower.

City officials have not disclosed the extent to which servers for backing up information on PCs were corrupted or what kind of information they think is unrecoverable without paying the ransom.

…

What is SamSam Ransomware & how does it work?

Like a terrible foot fungus, and not nearly as pleasant, SamSam ransomware just won’t go away. This customized ransomware strain first entered the scene in 2016 and, today, it’s powering the types of targeted cyber attacks that should give all of us pause—especially those in the healthcare industry.

Just consider this: In January 2018, SamSam ransomware variants have encrypted:

– Allscripts’ hosted applications, including its electronic health record and electronic prescription apps
– Hancock Health information systems, for which the hospital paid approximately $55,000 to restore access
– City of Farmington’s (NM) computer systems, from which the city was able to recover and avoid paying a $35,000 ransom.

Of course, organizations will often pay a price, even if they’re in a position to recover from a recent backup. The hard and soft costs associated with ransomware downtime range from IT recovery and client remediation costs to employee morale and damage to brand reputation.

In short, it pays to be prepared.

And, as there appears to be an uptick in SamSam ransomware attacks, it’s critical to understand how these attacks are deployed to ensure you’re able to best protect your critical data.

How does SamSam ransomware work?
Your everyday, garden-variety ransomware, as you know, often adopts a spray-and-pray approach. Cyber attackers set their traps—distributing emails and making drive-by-downloads widely available. Then, they wait for an unsuspecting victim to inadvertently execute their payload.

SamSam ransomware is different.

With SamSam, cyber attackers scan the web for unpatched server-side software and quietly let themselves in the backdoor. With access to the victim’s environment, attackers collect data and credentials before deploying a customized strain of SamSam ransomware. Then, they use the infected server to spread the encrypting ransomware to Windows machines on the network, as well as to network-based backups.

These attacks are part of a growing trend toward targeted ransomware attacks. While no organization is safe from ransomware, attackers today are leveraging more targeted approaches to exploit vulnerable organizations with deep pockets and a lot to lose.

Sources:

Reuters
Ransomware watch