Atlanta's Reported Ransomware Bill: Up to $17 MillionCity Didn't Pay Ransom, But Spends for Cleanup, New Devices, Better Security
The cost of the city of Atlanta's mitigation and subsequent IT overhaul following a massive SamSam ransomware infection earlier this year could reach $17 million.
The March 22 ransomware outbreak left 8,000 city employees unable to use their PCs for several days and led to longer outages for residents who wanted to pay for parking tickets or report potholes online as the city's IT team continued to grapple with the incident (see Atlanta's Ransomware Cleanup Costs Hit $2.6 Million).
The Atlanta Journal-Constitution and Atlanta's WSB-TV Channel 2 Action News last week reported that they obtained a seven-page document, marked "confidential and privileged," that describes the most recent costs incurred by the city as it has continued to respond to the ransomware outbreak.
The city's assessment says Atlanta has about $6 million in contract commitments as a result of the ransomware attack, and it faces up to $11 million more in additional costs, the news outlets report.
Of the $6 million in commitments, about $1.1 million has been budgeted for "new desktops, laptops, smartphones and tablets," while the rest is for "security services and software upgrades," they report.
A city spokesman told the Atlanta Journal-Constitution that the city is taking the opportunity to overhaul its systems and noted that some of the ransomware attack costs will be covered by its cyber insurance policy.
"We are pleased with the progress of the recovery efforts. In addition to responding to the criminal attack against the city of Atlanta, we are using this opportunity to make the city more secure," the spokesman said. "Unfortunately, in today's world, governments are seeing an increase in cyberattacks. ... As you already know, the city is insured against cyberattacks. We continue to work through that process for the most cost-effective outcome for our residents."
The city had received a ransom demand worth $51,000 in bitcoins to unlock all affected systems, which it reportedly did not pay.
Colorado Hit by SamSam
Atlanta isn't the only city or local agency to have been hit by SamSam ransomware this year (see HHS Warns of SamSam Ransomware Attacks).
In late February, the Colorado Department of Transportation's suffered a SamSam ransomware infection that led state officials to take more than 2,000 systems offline, leaving state employees having to use personal devices to check their email.
Following the attack, Colorado Gov. John Hickenlooper signed an executive order authorizing up to $2 million to be spent.
Six weeks after the attack, the state agency reported that it had restored 80 percent of its systems. Officials said they had bolstered their core team of 25 IT employees with about 125 additional employees to help respond to the incident and overhaul systems.
"We were able to recover from the SamSam attack relatively quickly due to our robust backup plan and our segmentation strategies," Brandi Simmons, a spokeswoman for Colorado's Office of Information Technology, told The Denver Post in April. "We are still capturing costs associated with the incident, but our estimate is between $1 million and $1.5 million."
The state said that it had received a ransom demand - it did not specify the amount - and refused to pay. It said its recovery operations had been greatly aided by its 2017 Backup Colorado project, which included a "segmentation strategy" designed to spread critical information across multiple server, to better protect against any one of them being knocked offline or compromised, StateScoop reported.
Crypto-Locking Attacks Continue
While there are many different types of crypto-locking ransomware, whoever is behind SamSam appears to be very prolific. "[The] SamSam threat actor is very active, and we have over 40 cases under investigation," says Ondrej Krehel, digital forensics lead and CEO of New York-based digital forensics and cybersecurity intelligence firm LIFARS (see Facing Cyber Extortion? Step 1: Don't Panic).
Other SamSam victims have included Allscripts, Adams Memorial Hospital and Mississippi Valley State University.
Although education, government and healthcare sector victims have seemed to bear the brunt of SamSam attacks, Sophos reports that the private sector appears to be much harder hit (see SamSam: Inside One of the World's Top Forms of Ransomware).
"These three sectors account for fewer than half of the total number of organizations we believe have been victims of SamSam," Sophos says in a new report on SamSam. "It's the private sector who have suffered the most - and disclosed the least."
Sophos estimates that since SamSam was first spotted in 2016, at least 233 victims have paid a ransom to the attackers, although it says it doesn't know all of their identities. But 74 percent of the SamSam victims it has identified are U.S.-based.
"With an estimated one new victim being attacked each day, we believe that roughly one in four victims pay at least some of the ransom," Sophos says.
Lock Down RDP Access
Whoever is using SamSam to attack organizations utilizes very consistent techniques and tactics. "In almost every attack, the attacker started encryption of files late at night or in the early hours of the morning in the victim's time zone," Sophos says. "There is a sort of twisted logic to this, as this will be a time when victims are most vulnerable, as there are likely to be fewer users and admins online to notice. This is true of U.S. victims - both east and west coast - as well as victims in other countries such as the U.K."
The attacker or attackers also increasingly use the remote desktop protocol, or RDP, to gain access to corporate networks (see Hackers Exploit Weak Remote Desktop Protocol Credentials).
Some cybercriminals specialize in harvesting RDP credentials and then selling them on cybercrime marketplaces to interested buyers - sometimes for exclusive use (see How Much Is That RDP Credential in the Window?).
Incident response experts say attackers might use the credentials to access a corporate network, establish a beachhead and then look around for any sensitive or confidential information they might be able to monetize. Later, they may infect systems with ransomware as a final step to attempt to generate more illicit revenues. As a result, the first signs of a ransomware infection may come weeks or months after attackers first gained access to a network.
Sophos says all organizations that use RDP have a clear imperative to ensure they properly secure it. "As the SamSam attacker has historically entered a network through a combination of exploits and brute-forced RDP passwords, taking steps to harden the perimeter and interior is probably a wise move," it says.
That encompasses a wide range of advice, including patching, vulnerability management and regularly scanning corporate infrastructure using internet-of-thing search engine Shodan to see what might be exposed. "Fix the most easily corrected mistakes as quickly as possible, such as closing whatever firewall loopholes might allow someone to reach the default [RDP] port of 3389 from the internet," Sophos advises.