City of Atlanta
April 5, 2018
Mark Johnson and Erich Kron

Vulnerabilities in local government cyber security invite ransomware attacks

If the ransomware threat wasn’t already keeping you up at night, surely the attack on Atlanta has left you questioning the strength of your cyber defenses and disaster recovery. Now, it should be abundantly clear to all who work in local government that you are under attack.

And, it’s up to you to ensure critical government services remain operational.

As reports continue to surface about downed 911 dispatch systems, and IT admins ponder the devastating impact of encrypted criminal case files and investigative databases, the threat becomes abundantly clear.

Ransomware attacks on city and county government threaten public safety.

The rise of SamSam attacks on city and county government

SamSam ransomware attacks pose a clear and present danger to local government.

How so?

It’s important to first understand that these aren’t meddlesome millennials wreaking havoc from the safety of their parents’ basements.

Rather, an organized crime syndicate directs SamSam attacks; a group of cyber-extortionists who:

  • Invest the time and resources necessary to identify targets most likely to pay-up
  • Access and study target infrastructure
  • Deploy SamSam in a manner that will exact maximum damage

What’s more, they’re not demanding millions of dollars.

SamSam attackers understand what it will cost for Cities and Counties to recover from a ransomware attack. They then set their ransom demands far lower, making the cost-benefit analysis tilt in their favor.

Consider the potential hard and soft costs the City of Atlanta will incur as a result of the SamSam attack—from employee productivity losses and liability exposure to weakening public trust and system recovery. In comparison, it’s easy to see how some in government would willingly fork over the $51,000 ransom demanded by the attackers.

Of course, these targeted attacks on local government are happening for a reason.

Cybercriminals know local governments are vulnerable, and they’re exploiting those vulnerabilities.

As an IT professional in city or county government, you know:

  • You rarely have the budgets necessary to fully secure your systems, applications, and data, as we might otherwise expect from business
  • Your IT team is often stretched thin, increasing the risk of unknown vulnerabilities
  • Your government leadership is more likely to pay the ransom to mitigate disruption to resident services—especially those that impact public safety

Recent ransomware attacks on local government underscore the threat

The City of Atlanta is believed to be the victim of a SamSam attack. What can we learn from the fallout?

First, it’s important to be cognizant of the fact that SamSam ransomware traditionally accesses government infrastructure through a Remote Desktop Protocol, and via a remote access attack.

Second, a January 2018 cybersecurity audit identified a “significant level of preventable risk exposure to the city.” We know they were vulnerable. And, while Atlanta had begun addressing those security vulnerabilities, the city was unable to resolve those deficiencies in time.

What did that ultimately mean for the City?

The Atlanta SamSam attack:

  • Knocked out five of 13 City departments
  • Shutdown portions of the City website, preventing residents from paying fines, speeding tickets, water bills, and more
  • Denied Atlanta police access to some of their investigative databases
  • Forced City employees to conduct business operations on paper
  • Destroyed 16 years-worth of some employees’ data
  • Prompted the City of Atlanta to shut down its airport WiFi as a preventive measure

This was a hugely disruptive event and, nearly two weeks following the initial ransomware attack, Atlanta is still down.

This is a clear indicator that Atlanta didn’t have a good disaster recovery plan in place.

Of course, the City of Atlanta isn’t alone.

Hackers have increased their onslaught of ransomware and DDoS attacks on local governments, and crippled critical services:

Local governments face unique challenges in addressing ransomware

Like all IT professionals, you may encounter resistance to necessary data security and backup and recovery upgrades. However, some challenges that are unique to local government make your task of resolving data protection vulnerabilities more complex.

For starters, you often operate with more limited budgets and far fewer IT staff than similarly sized businesses. What’s more, strict budget cycles make it difficult—if not impossible—to respond to data security threats with greater agility.

Additionally, in government, it often takes a great deal of inertia to “alter the direction of the boat.” While you might recognize the threats to your data and work actively to minimize your exposure, you may not have the support from government leadership necessary to protect against ransomware.

That said, widely-publicized ransomware stories, like the crippling impact of WannaCry on the NHS and the SamSam attack on the City of Atlanta, are starting to open eyes.

What steps should you take to prevent and remediate ransomware attacks?

First, it’s important to understand that you simply can’t prevent all ransomware attacks. Despite advances in data security, including the adoption of machine-learning technologies, you’ll never be able to fully prevent a targeted ransomware attack.

And, it’s this focus on ransomware prevention that’s leaving many local governments vulnerable. They’re simply not investing the time and resources necessary to mitigate the impacts of ransomware after an attack occurs.

That’s why it’s so critical that you effectively manage your risk.

We urge you to immediately adopt the following best practices:

  • Ensure your Remote Desktop Protocol isn’t exposed on the Internet, and leverage a VPN before you access remote machines
  • Segment your network so that, if you are infected, you can contain the spread of the ransomware infection
  • Recognize that your end users are your last line of defense; invest in phishing training and testing to ensure they’re more vigilant
  • Invest in a redundant backup and recovery solution—ideally maintaining copies onsite, offsite, and offline
  • Test and validate your disaster recovery to ensure you can satisfy SLAs
  • Implement a ransomware crisis plan to enable you to act swiftly in the event of an attack

ransomware crisis plan

Keep fighting the good fight

Today, the scope and scale of ransomware attacks is growing exponentially. And, as governments respond to the threat, cyber attackers evolve their ransomware in an attempt to evade increasingly educated end users and more sophisticated data security solutions.

In short, it’s an arms race.

Of course, you know that already. Ransomware is a big challenge—if not your biggest challenge. And, for what it’s worth, we recognize the extra hours you’re investing to stay ahead of cyber threats and keep critical data safe.

For that, we thank you.

And, we’re with you.

This blog post was created in collaboration with our Ransomware Watch consortium partner, KnowBe4.