In the past few days the City of Atlanta has been hit with a ransomware attack. Several major computer systems that provide city services have been encrypted by an attacker. The attacker is demanding $51,000 worth of bitcoin to decrypt the systems, and the city has not yet ruled out paying the ransom. The attack occurred five days ago, and as of this writing, the systems remain inaccessible.
Yesterday, Mayor Keisha Lance Bottoms held a press conference to chat about the problem. So far the mayor and her team seem to be doing a great job of putting together a coordinated and multipronged response to deal with the incident.
What struck me about the conference is that it was the kind of conference a city holds when dealing with a physical disaster. The mayor actually described it as a “hostage situation” towards the end of the conference. This is the tangible impact of a cyber attack on a local government.
The City of Atlanta is working with the Secret Service, FBI, Department of Homeland Security and academic and private institutions, including Georgia Tech and SecureWorks. They have completed the investigation and containment phase of the incident response and have moved on to the restoration phase where they work to bring critical systems back online, but at this time the affected systems are still encrypted.
- Many of Atlanta’s systems have now been down for five days, though critical systems such as police, fire, rescue, 911, water services and airports are operational and continue without interruption. The departments affected include:
- Department of City Planning and Office of Buildings: Processing times are longer than normal.
- Office of Zoning and Development: Processing times are longer than normal.
- Office of Housing and Community Development: Office is unavailable to process disbursement requests.
- Municipal Court: The Department of Corrections has switched to a manual ticketing system for defendants who have been arrested and taken into custody. No “failure to appear” for court will be generated at this time and all cases will be reset.
- Department of Watershed Management: Online bill payments and in-person bill payments are down.
Mayor Bottoms has described this as: “Bigger than a ransomware attack. This is an attack on our government, which makes it an attack on all of us.” She goes on to say that “what has been attacked is digital infrastructure. As elected officials, we tend to focus on things people see. But we have to make sure that we focus on the things that people can’t see and digital infrastructure is very important.”
The city does not currently have a time estimate for when they will get all of their systems back up and running. They are working around the clock, and they are actually concerned that some of the team that has responded to this incident may burn themselves out, so they are managing that aspect of the task, too.
They have confirmed that it was a remote attack that compromised their systems. The city was reportedly hit by the SamSam ransomware. This ransomware variant has made the attackers $850,000 since December 2017. According to CSO Online, the city had many services exposed to the public, which could have provided an attacker with a point of entry, including “VPN gateways, FTP servers, and IIS installations.” Many services had SMBv1 enabled, which has known security issues.
One thing I found interesting about the mayor’s comments was an analogy she used. She uses as an example an old truck she had. She didn’t think she had to replace it until she was in a wreck. And then she had to replace it. Her analogy makes it clear that the city should have updated their security posture before this incident occurred, and now that it has occurred, they are forced to take action to resolve the issue and secure their systems going forward, but at great cost and inconvenience.
I think this is a valuable lesson, and something that WordPress site owners should take to heart. It is important to be proactive when it comes to securing your systems and educating yourself about cybersecurity. Don’t wait until you get hacked before you take action. If you have a WordPress website, install a malware scanner and firewall like Wordfence and use our blog, learning center and Wordfence documentation to empower yourself and secure your website. We have also written about ransomware as an emerging threat to WordPress in the past.
Ransomware mainly targets desktop systems. To protect your home or office systems from a ransomware attack, take the following steps:
Ensure you have regular backups and that those backups are offline. They must not be accessible from the workstation that is being backed up to ensure that ransomware cannot also encrypt your backups when you get infected.
Install the latest security patches for Windows, OSX, Android, iPhone and any other operating system that you use. Along with backups, this is the most effective thing you can do to protect yourself.
Install any application updates, especially browser updates. Make sure you are not running an old vulnerable browser, or else simply visiting a compromised website can infect you.
Install a desktop antivirus solution and ensure it has updated virus signatures, or alternatively, enable Windows Defender, which is free.
Do not open attachments or downloaded files from untrusted sources. Avoid using file attachments completely if you can, and use cloud services like Google Docs instead.
Do not click links in emails from people you do not trust.
To see the full post and story and more information visit Wordfence PSA: Lessons From The Atlanta Ransomware Situation