Incident Of The Week: Ransomware Cripples Atlanta City Government



Dan Gunderman
03/30/2018

In the dynamic world of cyber security, breaches are both tightly guarded and, sadly, imminent.

Combing through data, market research and threat-defense efforts taken by enterprises can be a daunting task. Here at Cyber Security Hub, we both track the latest industry news and make it more navigable for the IT professional. CSHub coverage extends outwards – as it helps enterprises batten down their proverbial hatches.

In this edition of “Incident of the Week,” we examine a ransomware attack crippling the IT infrastructure of Atlanta, Ga., one of the largest cities in the Southeast.

The Specifics

Officials said that Atlanta Information Management (AIM) discovered the attack on Thursday, March 22 at 5:40 a.m. Under siege: internal and customer-facing applications used to pay bills or access court information, according to Ars Technica.

While the details are still being determined, officials have said that the ransomware-inducing attack was a product of Samsam, a malware strain that popped onto the radar of cyber security practitioners in 2015. The hackers demanded $51,000 in bitcoin in return for the encryption keys to unlock the seized systems.

See Related: Incident Of The Week: Orbitz Data Breach Exposes 880K Accounts

As of reporting from the morning of March 30, officials did not indicate whether they paid the $51,000 ransom. However, officials did announce that the systems were beginning to come back online.

City officers were again able to file digital reports and databases thought to be corrupted were accessible, according to NPR. What’s more, the city’s 311 system (involving trash pick-up and pothole monitoring) was reportedly functional.

Nonetheless, some databases remain offline, and the water department is not taking payments. The municipal court has “pushed off its caseload, indefinitely,” NPR notes.

Firsthand Account

In speaking with the New Yorker, Atlanta city councilmember Howard Shook said that upon arriving to work last Thursday, he was tasked with powering everything off. The three computers in his office had been touched by the ransomware assault. He said 16 years of emails, contacts and files had been lost. He was later provided a city council-issued laptop, and stronger email filters were applied across the board.

In describing the incident to the outlet, Shook said Atlanta had been “assaulted” by a “cyber-criminal on a massive scale.”

The New York Times went as far as to call the Atlanta offensive one of the most consequential attacks leveled at a U.S. city.

As part of the ransomware fallout, Wi-Fi at the city’s airport was interrupted, courts could not validate warrants and the parking system also fell under the crosshairs. What’s more, the city’s digital files could have permanently vanished.

See Related: Incident Of The Week: Server Configuration Error Exposes 33K Healthcare Records

The city’s recently elected mayor, Keisha Lance Bottoms, reportedly called the incident a “hostage situation.” She previously told reporters that everything was on the table with regard to remedial steps.

Shook said that the scope of the attack is rather strange – as the District Eight council office beside his still has two functional computers. He said it’s a spotty scenario “on down the hall.”

Shook told the outlet he does not see much upside in paying the ransom since “the damage is done.” He said regardless, the contents on his computer “have to be euthanized.”

Federal officials are currently investigating this bitcoin-demanding cyber-incident.

The city administration held a closed-door session this week to discuss the attack, and reportedly plans to take stricter measures to avoid future cyber-attacks.

Boeing IOTW Incident of the Week Cyber Security

Photo: vaalaa / Shutterstock.com

Ransomware Surge

If you thought the ransomware blitz ended there, you’re mistaken. Two other high-profile attacks emerged this week.

Boeing, a multinational corporation that designs aircraft, rockets and more, issued a statement saying that its cyber security operations center “detected a limited intrusion of malware that affected a small number of systems.” According to Ars Technica, Boeing Commercial Airplanes Vice President of Communication, Linda Mills, said that remedial steps were taken and that it was not a “production and delivery issue.” Software patches were applied and the statement suggests that there was no interruption to the 777 jet program, or others.

It appears crypto-malware actors are doubling down, too, because Baltimore’s 911 system was also breached. The city’s computer-aided dispatch system (CAD) was taken offline last weekend. Baltimore Chief Information Officer and Chief Digital Officer, Frank Johnson, told Ars Technica that the IT team was able to isolate the breach to the CAD system. Systems connected to it were disabled to avoid propagation (before being vetted and restored).

Johnson said the Baltimore City Information Technology office pinned down the ransomware to a firewall-related vulnerability briefly exposed by a technician who was troubleshooting a CAD communication issue. Officials believe Baltimore may have been targeted in a four-hour window by an automated scan. An investigation is ongoing.

Be Sure To Check Out: Incident Of The Week: Historic DDoS Attacks Strike GitHub, Service Provider