City officials in Atlanta, Georgia are still trying to recover 10 days after a ransomware attack on municipal computer systems hit at least five out of 13 departments, knocking out some city services and forcing others to revert to paper records.
Per Reuters, over a week has passed since the SamSam ransomware began spreading throughout city computer systems, with a $51,000 ransom payment demanded by the hackers going unpaid. While the recovery began last week, large stretches of computer systems remain encrypted by the attackers. Three city council members were sharing a single old laptop over the weekend as they tried to reconstruct records, with councilman Howard Shook telling the news agency the situation was “extraordinarily frustrating.”
According to the Reuters report, numerous local officials have found their file systems corrupted, with tags like “weapologize” and “imsorry” appended to document titles. Though the ransomware was not able to corrupt everything—just eight out of 18 computers in the auditors’ office were affected, for example—it sounds like much of the information may be unrecoverable:
“Everything on my hard drive is gone,” City Auditor Amanda Noble said in her office housed in Atlanta City Hall’s ornate tower.
City officials have not disclosed the extent to which servers for backing up information on PCs were corrupted or what kind of information they think is unrecoverable without paying the ransom.
Atlanta police returned to taking written case notes and have lost access to some investigative databases, department spokesman Carlos Campos told Reuters. He declined to discuss the contents of the affected files.
The SamSam ransomware is particularly advanced and “infiltrates by exploiting vulnerabilities or guessing weak passwords in a target’s public-facing systems,” then uses techniques like the Mimikatz password recovery tool to seize control of the rest of a network, according to Wired. That means attackers don’t need to launch social engineering attacks or trick users into running malware for it to spread, and SamSam can easily spread via “remote desktop protocols, Java-based web servers, File Transfer Protocol servers, and other public network components.”
The city was just beginning to implement some of the recommendations of a cybersecurity audit released in January that found “the large number of severe and critical vulnerabilities identified has existed for so long the organizations responsible have essentially become complacent and no longer take action,” per CBS. The audit said that “departments tasked with dealing with the thousands of vulnerabilities do not have enough time or tools to properly analyze and treat the systems,” leading to a “significant level of preventable risk exposure to the city.”
“Ransomware is dumb,” Parameter Security founder Dave Chronister told Wired. “Even a sophisticated version like this has to rely on automation to work. Ransomware relies on someone not implementing basic security tenets... Not to be harsh, but looking at this their security strategy must be pretty bad.”
The FBI and Department of Homeland Security are assisting Atlanta officials, but it’s not clear to what extent they can help. As Reuters noted, the FBI “typically discourages ransomware victims from paying up,” but former DHS official Mark Weatherford said that might have been one of the few options for Atlanta to avoid so much hassle.
In any case, ransomware attacks are rapidly expanding, and one of the reasons the FBI discourages paying up is that it might encourage attackers to hit more vulnerable systems in the future. According to NPR, the FBI received 2,673 reports of such attacks in 2016, and over 3,000 last year.