Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
Search
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Atlanta Counting on Backups, Cloud to Recover from Ransomware Attack

    By
    Wayne Rash
    -
    March 24, 2018
    Share
    Facebook
    Twitter
    Linkedin
      Atlanta City Ransomware Attack

      The ransomware that has taken out many of the computers in the Atlanta, Ga. is well known by security researchers as the SamSam malware. It appears to be run by a single group of bad actors who use a common Bitcoin wallet and who are very effective at convincing their victims to pay up. 

      “SamSam is a ransomware controlled by a single threat group,” explained Keith Jarvis, a researcher with Secureworks Counter Threat Unit. “It’s unlike other ransomware that’s out there.” What makes SamSam different is in the way the attacks develop. 

      According to Jarvis, the attackers scan for open ports, typically a Windows RDP (Remote Desktop Protocol) port, and then apply a brute force attack until they get in. A brute force attack means that they’ll constantly hit the port with credentials until one works. Once they succeed, they’re inside the system. 

      Once inside, they’ll examine the target network looking for important assets, such as servers containing significant data. “Once they’ve identified important assets they deploy ransomware to those specific machines,” Jarvis said. 

      Eugene Weiss, head of content security intelligence engineering for Barracuda Networks, explained what happens next. The SamSam malware looks for certain critical files. It encrypts them with AES 256-bit encryption, and asks for a Bitcoin to be sent to a Bitcoin wallet.” 

      Weiss said that there’s no guarantee that the SamSam threat actors will actually go through with their offer to decrypt the files once they’ve received their Bitcoins, but they may. Jarvis said that this particular set of threat actors will typically demonstrate that they are have control of critical files by decrypting a few of them. 

      Jarvis said that the attackers in the Atlanta case are asking for six Bitcoins, which comes out to about $51,000.00. But that could change once the victim indicates a willingness to pay. “Sometimes this actor will renegotiate the ransom even higher,” he said. 

      So far, it seems, the attacker running the SamSam ransomware have been decrypting the servers they’ve attacked after they’ve been paid. From their viewpoint this is important, because if they get the reputation of refusing to do so, nobody will pay the ransom. 

      The attackers only seem to be after the ransom. “We’ve never found any evidence that they’re interested in stealing any data,” Jarvis said. “Their MO is exclusively to get in there and spread ransomware.” 

      Atlanta city officials haven’t indicated whether they’re planning to pay the ransom, or try to regain control of their data systems without doing so. In Atlanta’s case, however, they appear to be in good position to recover. 

      According to reports from Atlanta, the city’s IT department had been careful in backing up their critical data. Furthermore the city has moved much of their critical services to the cloud. The city’s network also appears to have been properly segmented, so public safety and the airport were not affected. 

      So how did this happen? According to Sam Elliott, director of security product management with remote security services provider Bomgar in Atlanta, said it’s apparent that ‘there’s some pretty bad hygiene of open ports there,” he said. “What probably caused this is a port that should not have been open.” 

      Elliott said that there are indications that it was probably an public facing RDP port, although he said it could also have been an SMB port. He said that finding such ports is relatively easy using the Shodan network browser. Elliott said that what typically happens is that a port is opened for a specific purpose, such as for a support call, and then left open because someone forgot to close it. 

      Jarvis said that right now the city’s IT folks are deciding on the approach to take. “They’re going through the calculus of ‘can we recover’ without having to pay the ransom.” 

      Whether they can depends on whether the backups are saved properly. If they can, then they don’t need to pay the ransom. “If they backed up their data, that’s the only way to recover from a ransomware attack,” Weiss said. 

      Once the city recovers from the ransomware attack, the next step is what to do to keep it from happening again. Here’s what Jarvis recommends: 

      • Turn off RDP. It should never be used on any public facing port and its use should be discouraged anywhere else on a network.
      • Turn on two-factor authentication. Brute force credential attacks won’t work if two-factor authentication is in place.
      • Perform regular audits of your external network for open remote access ports. You can use the Shodan browser for this.
      • Have robust credentials. Weak credentials make a break-in easier and faster.
      • Use whitelisting. That means keep a list of the sites on the internet where users are allowed to go, and a list of what sites can have access to your network. 

      Weiss adds a couple more suggestions: 

      • Never allow Windows shares on the public network.
      • Patch religiously. While you need to confirm that a patch will work, it’s critical to apply it promptly. The practice of delaying patches for months or forever is certain to cause problems.
      • Finally, train your employees to recognize threats such as phishing emails. “It’s time that anyone who touches a computer ought to be trained about social engineering,” he said. 

      Following security best practices will help most organizations avoid ransomware, but those practices have to be more than just lip service. 

      Avatar
      Wayne Rash
      Wayne Rash is a freelance writer and editor with a 35 year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He covers Washington and is Senior Columnist for eWEEK. He is the author of five books, including his most recent, "Politics on the Nets". Rash is a former Executive Editor of eWEEK and Ziff Davis Enterprise, and a former analyst in the eWEEK Test Center. He was also an analyst in the InfoWorld Test Center, and Editor of InternetWeek. He's a retired naval officer, a former principal at American Management Systems and a long-time columnist for Byte Magazine.

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      Chris Preimesberger - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      Chris Preimesberger - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      eWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      Zeus Kerravala - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      Wayne Rash - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Information

      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×