SamSam, a ransomware that hackers use in targeted attacks, strikes again – this time shutting down the City of Atlanta. Hackers using SamSam usually scan the Internet for computers with open RDP connections. Attackers break their way into large networks by brute-forcing these RDP endpoints and then spread to even more computers. Once they have a sufficiently strong presence on the network, attackers deploy SamSam and wait for the victim organization to either pay the ransom demand or boot them off their network.
SamSam has been busy in 2018 so far. Several medical organizations including MedStar, Hancock Health Hospital, Adams Memorial Hospital and Allscripts so far. Hackers seem to be focusing in on cities and municipalities now.
On February 22, SamSam hit the Colorado Department of Transportation computers and encrypted files. City officials shut down more than 2,000 computers while they investigated the attack.
The group behind SamSam has made over $850,000 since December 2017.
SamSam hits City of Atlanta
March 22, 2018 – The Mayor of Atlanta, Georgia has confirmed that several local government systems are currently down due to a ransomware infection and said the infection took root at around 5:40 AM, local time.
Mayor Keisha Lance Bottoms expects city departments to open tomorrow, but operate without IT support. Asked if the city plans to pay the ransom note, Mayor Bottoms said “We can’t speak to that right now. We will be looking for guidance from specifically our federal partners.”
Not all IT infrastructure were affected because the city was in the process of moving some systems to cloud services, and those were not affected.
How did this happen?
According to experts, the cause was likely a port that should not have been open. The SamSam malware looks for certain critical files. It encrypts them with AES 256-bit encryption and asks for a Bitcoin to be sent to a Bitcoin wallet. The city has RDP exposed to the public, as well as VPN gateways, FTP servers, and IIS installations. Most of them have SMBv1 enabled, making the task of spreading the ransomware easier.
What next?
Once the city recovers from the ransomware attack, the next step is what to do to keep it from happening again. Here’s what Jarvis recommends:
- Turn off RDP. It should never be used on any public facing port and its use should be discouraged anywhere else on a network.
- Turn on two-factor authentication. Brute force credential attacks won’t work if two-factor authentication is in place.
- Perform regular audits of your external network for open remote access ports. You can use the Shodan browser for this.
- Have robust credentials. Weak credentials make a break-in easier and faster.
- Use whitelisting. That means keep a list of the sites on the internet where users are allowed to go, and a list of what sites can have access to your network.
We would like to add a few more suggestions:
- Check for Vulnerabilities
- Patch, Patch, Patch
- Train Your HUMAN firewall!
As of today, some of the City of Atlanta’s computer systems are still shut down. The hackers are demanding $51,000 to unlock the system. City officials are still trying to determine the full extent of the attack. We haven’t heard much from the City of Atlanta, which makes it even more concerning.