City of Atlanta Falls Victim to Ransomware: How Financial Institutions Can Guard Against “SamSam” Ransomware Attacks

Ransomware attacks not just targeting financial institutions and Fortune 500 businesses anymore. The city of Atlanta now finds itself dealing with a ransomware attack as it announced a ransomware attack last week. On Thursday, March 22 the city received a written ransom demand in bitcoin for $51,000 to unlock the city’s entire system. At the date of this posting, certain systems are still inaccessible (including customer-facing applications like bill pay systems and court-related applications). Fortunately, the attack did not affect police and fire emergency response systems or water supply safety.

Due to the nature of the attack, experts believe it to be a “SamSam” variant of ransomware, initiated by a group that began targeting small and large businesses, healthcare organizations, governments and educational institutions in late 2015. The ransom prices set by this group tend to fluctuate, but they remain generally “affordable,” which is why many victims have simply chosen to pay the ransom. To date, the group has made nearly $850,000 USD through ransomware payments.

To execute an attack, the hacker group installs the SamSam ransomware on the endpoints of networks compromised, often via unsecured connections. The hackers first look for unsecured remote desktop (RD) servers, launch attacks that compromise the server, and then use various tools to escalate access inside the organization’s network. Once they have gained access to as many endpoints as possible, the group installs the ransomware and starts the extortion process, and hope the victims do not have offline backups.

To resolve the security issue and determine what information has been compromised, the city of Atlanta launched an official investigation with the FBI, U.S. Department of Homeland Security, Cisco cybersecurity officials and Microsoft®.

What to Do if You’ve Been Targeted

In addition to contacting government authorities, organizations that find themselves threatened by SamSam ransomware should:

1. Unplug or disconnect all devices that you know are compromised from the network;
2. Determine if additional or unknown devices are infected. One way to accomplish this is to verify that machines are up to date on their patches;
3. Depending on how serious the attack, disconnect the entire network from the Internet all together;
4. Do not pay the ransom. Doing so helps the fraudulent industry grow. If the attackers do not receive payments, the industry will burn out. In addition, there is no guarantee the attacker will release the data or provide a decryption key and once an organization has paid, they become targets time and time again; and
5. Verify previous backups for recovery.

How to Prevent an Attack

Successful ransomware attacks primarily reveal the lack of adequate endpoint protection, which can be defended against. Some common methods to prevent attacks include:

1. Deploy and enable an endpoint protection system;
2. Utilize vulnerability and patch management systems to patch internet-facing applications;
3. Remove administrator rights from end-users;
4. Use application control whenever possible to implement a default-deny execution policy;
5. Implement an enterprise endpoint backup plan, and ensure monitoring of backups and testing of restore capabilities regularly;
6. Upgrade secure email and secure web gateways or firewalls to filter suspicious email, executable objects and URL/IP addresses;
7. Install an anti-ransomware solution on your network to stop ransomware; and
8. Build regular testing of incident response scenarios into the ransomware response plan.

To adequately protect against ransomware, financial institutions should employ a strategy that places many uniquely tailored layers throughout their networks, from the end-user to the Internet to establish a secure IT environment. By employing multiple controls, security layers ensure that gaps or weaknesses in one control, or layer of controls, are compensated for by others. Adding preventive, detective and responsive layers to IT security strategy will help strengthen an institution’s approach and build an effective security foundation. Proactively protecting data will always be more cost effective than falling victim to malicious activity.

For more information, download our complimentary white paper, “Ransomware and the Evolving Security Landscape of Today’s Financial Institution.”