It’s that time when we look back on the past year. In 2018, Atlanta was a victim of a cyber attack. It fought back rather than pay ransom and spent millions. The FBI has identified the malevolent actors but they are outside our reach. What lessons do we take from it?
A quick recap: In March the City of Atlanta noticed that many of its IT systems were malfunctioning. On March 22, it admitted that the city was under siege in a ransomware attack. I wrote about it in early April. The cyber criminals demanded $51,000 in Bitcoin to release the affected systems.
Ironically, the website to which the ransom was to be sent was inadvertently published and was soon flooded with traffic from all sorts of users and the public. The criminals panicked and shut the site down. So city officials were effectively trapped into fighting the attack whether they wanted to or not. (Of course, the City Administration has said it was always going to fight and not pay – yeah right!).
An army of consultants descended on the city and slowly things got better although some records were permanently lost. As Wikipedia reports: “Though the city declared that there was little to no evidence that personal data had been compromised, later studies show that the breach was worse than originally estimated. In June 2018, it was estimated that a third of the software programs used by the city remained offline or partially disabled. In addition, many legal documents and police dashcam video files were permanently deleted, though the police department was able to restore access to all its investigation files. For a while, residents were forced to pay their bills and forms by paper.”
The defense proved costly. At first the city stated that it had paid $2.7 Million to correct the problem. By August, news reports were documenting total expenditures of $17 Million – ouch! And what about the perpetrators? In late November a federal grand jury charged two Iranian men for computer hacking and extortion cyberattack that targeted the City of Atlanta and other metro Atlanta governmental departments.
The indictment charged 34-year-old Faramarz Shahi Savandi and 27-year-old Mohammad Mehdi Shah Mansouri, both acting from inside Iran, of creating a malware known as “SamSam Ransomware” that was able to do the act of “forcibly encrypting data on the computers of victims.” The two men would access the computers of victims through vulnerabilities in security, install their program and then demand a ransom to decrypt the data.
FBI investigators say that Atlanta was just one of the cities targeted by the two men. In all, officials estimate more than 200 victims, including Newark, New Jersey, the Port of San Diego, and multiple medical centers, were targeted. Apparently, they collected about $6 Million overall.
What have we learned? Was it worth it? Should the city just have paid the ransom? Payoff seldom results in a good outcome. A recent survey by SentinelOne shows that almost half the victims, 45%, paid the hackers off but of those only 26% got their files unlocked. And, of those that paid the ransom, 73% got hacked and locked out again – not good.
Will the perpetrators ever see justice? Realistically, probably not – We do not have the warmest of relations with Iran and Savandi and Mansouri are believed to still be in Iran. It’s unlikely they will face justice in a U.S. court unless they travel to a country that permits extradition – Anybody willing to give odds on that happening?
Is this the new normal? Yep! In fact it will probably get worse. A number of studies point to an increasing number of cyber criminals shifting their attention to ransomware. The targets will be bigger and more critical along with the ransom demands because it is easy money. Ransomware works because it depends on users’ negligent security practices. Given that a large percentage of Internet users do not follow best practices – ipso facto!
What do you do? Things look pretty grim but you can clean up your IT security hygiene: implement patches, train to avoid phishing attacks, close open ports, etc. Get serious about cyber. If you are an enterprise or institution consider the new (and better) approach to security called Zero Trust. Here’s to a safe and secure New Year.