Try a no-risk free trial today!
SamSam, a ransomware that hackers use in targeted attacks, strikes again – this time shutting down the City of Atlanta. Hackers using SamSam usually scan the Internet for computers with open RDP connections. Attackers break their way into large networks by brute-forcing these RDP endpoints and then spread to even more computers. Once they have a sufficiently strong presence on the network, attackers deploy SamSam and wait for the victim organization to either pay the ransom demand or boot them off their network.
SamSam has been busy in 2018 so far. Several medical organizations including MedStar, Hancock Health Hospital, Adams Memorial Hospital and Allscripts so far. Hackers seem to be focusing in on cities and municipalities now.
On February 22, SamSam hit the Colorado Department of Transportation computers and encrypted files. City officials shut down more than 2,000 computers while they investigated the attack.
The group behind SamSam has made over $850,000 since December 2017.
March 22, 2018 – The Mayor of Atlanta, Georgia has confirmed that several local government systems are currently down due to a ransomware infection and said the infection took root at around 5:40 AM, local time.
Mayor Keisha Lance Bottoms expects city departments to open tomorrow, but operate without IT support. Asked if the city plans to pay the ransom note, Mayor Bottoms said “We can’t speak to that right now. We will be looking for guidance from specifically our federal partners.”
Not all IT infrastructure were affected because the city was in the process of moving some systems to cloud services, and those were not affected.
According to experts, the cause was likely a port that should not have been open. The SamSam malware looks for certain critical files. It encrypts them with AES 256-bit encryption and asks for a Bitcoin to be sent to a Bitcoin wallet. The city has RDP exposed to the public, as well as VPN gateways, FTP servers, and IIS installations. Most of them have SMBv1 enabled, making the task of spreading the ransomware easier.
Once the city recovers from the ransomware attack, the next step is what to do to keep it from happening again. Here’s what Jarvis recommends:
We would like to add a few more suggestions:
Shoot us a message to start a discussion about how our team can help you today.
Stay up-to-date on the latest news in the cyberverse.