Atlanta government ransomware attack

Last updated

Atlanta government ransomware attack
DateMarch 22, 2018 [1]
Location Atlanta, Georgia, United States
Type Cyberattack
Theme Ransomware encrypting files with $51,000 demand (via Bitcoin)
Cause
  • SamSam Ransomware
OutcomeMultiple municipal services down, including databases and wi-fi
Years' worth of data destroyed
City spends $2.7 million in recovering services

The city of Atlanta, Georgia was the subject of a ransomware attack which began in March 2018. [2] The city recognized the attack on Thursday, March 22, 2018, [1] [3] and publicly acknowledged it was a ransomware attack.

Contents

Due to Atlanta's national importance as a transportation and economic hub, the attack received wide attention [4] and was notable for both the extent and duration of the service outages caused. Many city services and programs were affected by the attack, including utility, parking, and court services. [5] City officials were forced to complete paper forms by hand. [6]

On November 26, a grand jury indicted two Iranian hackers, Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri, for the attack. The Department of Justice alleged that Savandi and Mansouri are part of the SamSam group; that the SamSam group is based out of Iran; and that the pair created SamSam Ransomware, the malware used in the attack. There are no affiliations with the government of Iran. [7]

Approach and attack

Leading up to the attack, the Atlanta government was criticized for a lack of spending on upgrading its IT infrastructure, leaving multiple vulnerabilities open to attack. In fact, a January 2018 audit found 1,500 to 2,000 vulnerabilities in the city's systems, and suggested that the number of vulnerabilities had grown so large that workers grew complacent. [8] The virus used to attack the city was the SamSam Ransomware, which differs from other ransomware in that it does not rely on phishing, but rather utilizes a brute-force attack to guess weak passwords until a match is found. It is known to target weaker IT infrastructures and servers. [9] The ransomware has prominently been behind attacks on medical and government organizations since its discovery in 2016, with previous attacks on targets ranging from small towns such as Farmington, New Mexico to the Colorado Department of Transportation and the Erie County Medical Center. It can also bypass antivirus software. [10] Despite no suspects being identified or indicted until November 2018, the SamSam hackers were described as "opportunistic". [11]

On March 22, at 5:40 AM, the Department of Atlanta Information Management first learned of outages on various internal and customer applications “including some applications customers use to pay bills or access court related information,” according to Richard Cox, the city's interim Chief of Operations. Soon afterward, the city shut down many of its digital services in an attempt to control the situation, including its court system database and the wi-fi at Hartsfield–Jackson Atlanta International Airport. The city eventually identified it as a ransomware attack. [3] [1]

Aftermath and recovery efforts

This hack was notable as it was the largest successful breach of security for a major American city by ransomware, potentially affecting up to 6 million people. [9] [12] Following the attack, the city of Atlanta cooperated with the FBI, Department of Homeland Security, and Secret Service and hired security firms such as SecureWorks to investigate, and many government computers were advised to stay powered off until 5 days later. [6]

Though the city declared that there was little to no evidence that personal data had been compromised, later studies show that the breach was worse than originally estimated. In June 2018, it was estimated that a third of the software programs used by the city remained offline or partially disabled. [13] In addition, many legal documents and police dashcam video files were permanently deleted, though the police department was able to restore access to all its investigation files. [14] For a while, residents were forced to pay their bills and forms by paper. [6]

In response to this hack, Atlanta devoted $2.7 million to contractors in order to recover, but later estimated it would need $9.5 million. [13]

On November 26, 2018, the Department of Justice indicted two Iranian hackers for the attack, charging that Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri were part of the SamSam group and created SamSam Ransomware. [7]

Related Research Articles

Cyberterrorism is the use of the Internet to conduct violent acts that result in, or threaten, the loss of life or significant bodily harm, in order to achieve political or ideological gains through threat or intimidation. Acts of deliberate, large-scale disruption of computer networks, especially of personal computers attached to the Internet by means of tools such as computer viruses, computer worms, phishing, malicious software, hardware methods, and programming scripts can all be forms of internet terrorism. Cyberterrorism is a controversial term. Some authors opt for a very narrow definition, relating to deployment by known terrorist organizations of disruption attacks against information systems for the primary purpose of creating alarm, panic, or physical disruption. Other authors prefer a broader definition, which includes cybercrime. Participating in a cyberattack affects the terror threat perception, even if it isn't done with a violent approach. By some definitions, it might be difficult to distinguish which instances of online activities are cyberterrorism or cybercrime.

Ransomware is a type of cryptovirological malware that permanently blocks access to the victim's personal data unless a ransom is paid. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem, and difficult-to-trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.

<span class="mw-page-title-main">Timeline of Internet conflicts</span>

The Internet has a long history of turbulent relations, major maliciously designed disruptions, and other conflicts. This is a list of known and documented Internet, Usenet, virtual community and World Wide Web related conflicts, and of conflicts that touch on both offline and online worlds with possibly wider reaching implications.

A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. A supply chain attack can happen in software or hardware. Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components. Symantec's 2019 Internet Security Threat Report states that supply chain attacks increased by 78 percent in 2018.

In computer security, a wiper is a class of malware intended to erase the hard drive or other static memory of the computer it infects, maliciously deleting data and programs.

Cyberweapons are commonly defined as malware agents employed for military, paramilitary, or intelligence objectives as part of a cyberattack. This includes computer viruses, trojans, spyware, and worms that can introduce malicious code into existing software, causing a computer to perform actions or processes unintended by its operator.

A cyberattack is any offensive maneuver that targets computer information systems, computer networks, infrastructures, personal computer devices, or smartphones. An attacker is a person or process that attempts to access data, functions, or other restricted areas of the system without authorization, potentially with malicious intent. Depending on the context, cyberattacks can be part of cyber warfare or cyberterrorism. A cyberattack can be employed by sovereign states, individuals, groups, societies or organizations and it may originate from an anonymous source. A product that facilitates a cyberattack is sometimes called a cyber weapon. Cyberattacks have increased over the last few years. A well-known example of a cyberattack is a distributed denial of service attack (DDoS).

Cyberwarfare is a part of Iran's "soft war" military strategy. Being both a victim and wager of cyberwarfare, Iran is considered an emerging military power in the field.

Lazarus Group is a hacker group made up of an unknown number of individuals, alleged to be run by the government of North Korea. While not much is known about the Lazarus Group, researchers have attributed many cyberattacks to them between 2010 and 2021. Originally a criminal group, the group has now been designated as an advanced persistent threat due to intended nature, threat, and wide array of methods used when conducting an operation. Names given by cybersecurity organizations include Hidden Cobra and ZINC or Diamond Sleet. According to North Korean defector Kim Kuk-song, the unit is internally known in North Korea as 414 Liaison Office.

<span class="mw-page-title-main">WannaCry ransomware attack</span> 2017 worldwide ransomware cyberattack

The WannaCry ransomware attack was a worldwide cyberattack in May 2017 by the WannaCry ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency. It propagated by using EternalBlue, an exploit developed by the United States National Security Agency (NSA) for Windows systems. EternalBlue was stolen and leaked by a group called The Shadow Brokers a month prior to the attack. While Microsoft had released patches previously to close the exploit, much of WannaCry's spread was from organizations that had not applied these, or were using older Windows systems that were past their end-of-life. These patches were imperative to cyber security, but many organizations did not apply them, citing a need for 24/7 operation, the risk of formerly working applications breaking because of the changes, lack of personnel or time to install them, or other reasons.

EternalBlue is computer exploit software developed by the U.S. National Security Agency (NSA). It is based on a vulnerability in Microsoft Windows that, at the time, allowed users to gain access to any number of computers connected to a network. The NSA had known about this vulnerability for several years but had not disclosed it to Microsoft yet, since they planned to use it as a defense mechanism against cyber attacks. In 2017, the NSA discovered that the software was stolen by a group of hackers known as the Shadow Brokers. Microsoft was informed of this and released security updates in March 2017 patching the vulnerability. While this was happening, the hacker group attempted to auction off the software, but did not succeed in finding a buyer. EternalBlue was then publicly released on April 14, 2017.

<span class="mw-page-title-main">Petya (malware family)</span> Family of encrypting ransomware discovered in 2016

Petya is a family of encrypting malware that was first discovered in 2016. The malware targets Microsoft Windows–based systems, infecting the master boot record to execute a payload that encrypts a hard drive's file system table and prevents Windows from booting. It subsequently demands that the user make a payment in Bitcoin in order to regain access to the system.

<span class="mw-page-title-main">2017 Ukraine ransomware attacks</span> Series of powerful cyberattacks using the Petya malware

A series of powerful cyberattacks using the Petya malware began on 27 June 2017 that swamped websites of Ukrainian organizations, including banks, ministries, newspapers and electricity firms. Similar infections were reported in France, Germany, Italy, Poland, Russia, United Kingdom, the United States and Australia. ESET estimated on 28 June 2017 that 80% of all infections were in Ukraine, with Germany second hardest hit with about 9%. On 28 June 2017, the Ukrainian government stated that the attack was halted. On 30 June 2017, the Associated Press reported experts agreed that Petya was masquerading as ransomware, while it was actually designed to cause maximum damage, with Ukraine being the main target.

During the Baltimore ransomware attack of May 2019, the American city of Baltimore, Maryland had its servers largely compromised by a variant of ransomware called RobbinHood. Baltimore became the second U.S. city to fall victim to this new variant of ransomware after Greenville, North Carolina and was the second major US city with a population of over 500,000 people to be hacked by ransomware in two years, after Atlanta was attacked the previous year.

REvil was a Russia-based or Russian-speaking private ransomware-as-a-service (RaaS) operation. After an attack, REvil would threaten to publish the information on their page Happy Blog unless the ransom was received. In a high profile case, REvil attacked a supplier of the tech giant Apple and stole confidential schematics of their upcoming products. In January 2022, the Russian Federal Security Service said they had dismantled REvil and charged several of its members.

<span class="mw-page-title-main">Sandworm (hacker group)</span> Russian hacker group

Sandworm is an advanced persistent threat operated by Military Unit 74455, a cyberwarfare unit of the GRU, Russia's military intelligence service. Other names for the group, given by cybersecurity researchers, include Telebots, Voodoo Bear, IRIDIUM, Seashell Blizzard, and Iron Viking.

Ryuk is a type of ransomware known for targeting large, public-entity Microsoft Windows cybersystems. It typically encrypts data on an infected system, rendering the data inaccessible until a ransom is paid in untraceable bitcoin. Ryuk is believed to be used by two or more criminal groups, most likely Russian, who target organizations rather than individual consumers.

On May 7, 2021, Colonial Pipeline, an American oil pipeline system that originates in Houston, Texas, and carries gasoline and jet fuel mainly to the Southeastern United States, suffered a ransomware cyberattack that impacted computerized equipment managing the pipeline. The Colonial Pipeline Company halted all pipeline operations to contain the attack. Overseen by the FBI, the company paid the amount that was asked by the hacker group within several hours; upon receipt of the ransom, an IT tool was provided to the Colonial Pipeline Company by DarkSide to restore the system. However, the tool required a very long processing time to restore the system to a working state.

References

  1. 1 2 3 "Atlanta, GA : Ransomware Cyberattack Information". www.atlantaga.gov. Archived from the original on July 18, 2018. Retrieved March 28, 2018.
  2. Brumback, Kate (March 23, 2018). "Atlanta city computer network remains hobbled by cyberattack". AP News. Retrieved August 8, 2023.
  3. 1 2 Deere, Stephen (March 23, 2018). "Atlanta officials warn cyber attack may compromise sensitive data". The Atlanta Journal-Constitution. ISSN   1539-7459 . Retrieved August 8, 2023.
  4. Blinder, Alan; Perlroth, Nicole (March 27, 2018). "A Cyberattack Hobbles Atlanta, and Security Experts Shudder" . The New York Times. Archived from the original on January 11, 2022.
  5. Kearney, Laila (March 23, 2018). Maler, Sandra (ed.). "Atlanta ransomware attack throws city services into disarray". Reuters.
  6. 1 2 3 Hutcherson, Kimberly (March 27, 2018). "Six days after a ransomware cyberattack, Atlanta officials are filling out forms by hand". CNN.
  7. 1 2 Perlroth, Nicole; Benner, Katie (November 28, 2018). "Iranians Accused in Cyberattacks, Including One That Hobbled Atlanta" . The New York Times. Archived from the original on January 14, 2022. Retrieved November 30, 2018.
  8. "ISO/IEC 27001 ISMS Precertification Audit". City Auditor's Office. January 2018.
  9. 1 2 Freed, Benjamin (April 24, 2018). "Atlanta was not prepared to respond to a ransomware attack". StateScoop. Retrieved July 18, 2018.
  10. Crowe, Jonathan (March 2018). "City of Atlanta Hit with SamSam Ransomware: 5 Key Things to Know". Barkly vs Malware. Barkly Protects, Inc. Archived from the original on July 18, 2018. Retrieved July 18, 2018.
  11. "SamSam ransomware attacks have earned nearly $850,000". CSO Online. IDG. March 23, 2018. Retrieved July 18, 2018.
  12. Poon, Linda (March 30, 2018). "Why Are Cities So Vulnerable to Cyber Attack?". Citylab.com. Retrieved July 18, 2018.
  13. 1 2 Kearney, Laila (June 6, 2018). Adler, Leslie (ed.). "Atlanta officials reveal worsening effects of cyber attack". Reuters. Retrieved July 18, 2018.
  14. Vaas, Lisa (June 8, 2018). "Atlanta ransomware attack destroyed years of police dashcam video". Naked Security. Sophos.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.