Ransomware hit systems used by the city of Atlanta's local services, causing outages on customer facing applications, including some that customers may use to pay bills or access court-related information. According to the news report, the attack resembles the work of SAMSAM, a ransomware family that infected US healthcare facilities in 2016.
A ransomware UI screenshot provided by an Atlanta city employee showed that attackers demanded a ransom of US$6,800 to unlock one computer, or $51,000 for all the decrypt keys needed to restore access to all the affected systems. The city's information technology department sent emails to employees, instructing them to unplug their computers in the event they observe anything suspicious.
A city spokesperson from Atlanta stated that its information management team is working with Microsoft to resolve the issue, and gave assurance that its technology professionals will be able to restore the affected applications soon.
In the wake of the attack, the city government noted they will continue to post updates on its primary website, which remains online. The city payroll application remains unaffected as well.
Cisco, FBI and DHS officials are also involved in the investigation of the cyberattack.
Increasing SAMSAM attacks, using a variety of methods
SAMSAM has had a consistent presence in the threat landscape over the past two years, utilizing different methods to attack different industries.
In 2016, SAMSAM targeted the healthcare industry by exploiting the JBoss vulnerability in unpatched servers. SAMSAM then moved to targeting the education sector in the same year, using the same vulnerability to hit Follet’s Learning Destiny Library software with 2,100 installed backdoors across 1,600 IP addresses. The Follet’s Destiny software tracks school library assets and is used in K-12 schools in the US and across the globe. Fortunately, Follet identified the issue and immediately took actions to address the vulnerability.
Recently, a new SAMSAM-driven campaign had already victimized entities using different methods such as targeting servers with weak passwords or stolen credentials, and identifying victims by scanning the internet for computers with exposed Remote Desktop (RDP) connections. This year, SAMSAM also hit the Farmington, New Mexico municipality, the Adams Memorial Hospital in Indiana, an unnamed Industrial Control Systems (ICS) company, and electronic health records (EHR) provider Allscripts. The most high-profile incident, however, was another Indiana-based hospital — Hancock Health —for its decision to pay a $55,000 ransom in exchange for the decrypt keys needed to resume its operations as soon as possible.
Users and enterprises can lower or eliminate the risk of ransomware infection with these best practices against ransomware.
Trend Micro ransomware solutions
Enterprises can benefit from a multi-layered, step-by-step approach in order to best mitigate the risks brought by these threats. Email and web gateway solutions such as Trend Micro™ Deep Discovery™ Email Inspector and InterScan™ Web Security prevent ransomware from ever reaching end users. At the endpoint level, Trend Micro Smart Protection Suites deliver several capabilities like high-fidelity machine learning, behavior monitoring and application control, and vulnerability shielding that minimize the impact of this threat. Trend Micro Deep Discovery Inspector detects and blocks ransomware on networks, while Trend Micro Deep Security™ stops ransomware from reaching enterprise servers–whether physical, virtual or in the cloud. Using a combination of technologies such as deep packet inspection and threat reputation, the TippingPoint also provides organizations with a proactive approach to security, including the tools to combat ransomware. In addition, Trend Micro XGen™ security provides a cross-generational blend of threat defense techniques against a full range of threats for data centers, cloud environments, networks, and endpoints. Smart, optimized, and connected, XGen™ powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).