A ransomware attack possibly bearing the markings of SamSam may be responsible for outages in the City of Atlanta’s computer systems.
The city issued a statement confirming that computers are “currently experiencing outages on various internal and customer facing applications, including some applications that customers use to pay bills or access court-related information.”
Members of the Atlanta Information Management team are “working diligently with support from Microsoft to resolve the issue” and expect “to restore applications soon,” the statement said, adding that it would provide updates on its website, Atlantaga.gov, which “remains accessible.”
While the city’s transit system, MARTA, has had some issues Thursday, according to an 11Alive News report, the area’s busy Hartsfield-Jackson Atlanta International Airport, has not been hit nor have the 911 and dispatch systems.
“MARTA is currently experiencing a technical outage impacting MARTA Bid, Breeze Card, Reduced Fare and the MARTA On-the-Go sites,” MARTA tweeted. “This issue is currently being troubleshot by MARTA IT. We do apologize for any inconvenience caused.”
The report said a screenshot submitted by a city employee and analyzed by an expert, shows a ransom demand for “$6,800 per unit, or $51,000 to unlock the entire system.”
A security expert used by 11Alive said the attack seemed be a result of SamSam ransomware.
In February, the Colorado Department of Transportation (CDOT) was hit by SamSam ransomware, forcing the organization to shut down 2,000 computers across its system while it investigates and attempts to mitigate the attack.
While “typical ransomware victims are infected by clicking on a malicious link, opening an email attachment, or through malvertising,” Sentinel One Director of Product Management Migo Kedem explained in a blog post that “SamSam is unique because it infects servers directly using a vulnerability in Red Hat’s JBoss enterprise products.”
Using tools like the open-source penetration testing tool JexBoss, “to identify unpatched vulnerabilities in JBoss application servers,” hackers infiltrate then “install the SamSam ransomware onto the targeted Web application server and spread the ransomware client to Windows devices and encrypt their files,” Kedem wrote.
First observed in early 2016 by April of that year SamSam had targeted “a minimum of 58 organizations, including those in the healthcare industry,” the SentinelOne blog post said, noting that MedStar, “a $5 billion healthcare provider that operates 10 hospitals and employs more than 30,000 people in the Maryland and Washington D.C. region,” did not pay the 45-bitcoin ransom, while the Hollywood Presbyterian Medical Center in Los Angeles ponied up just under $17,000 in ransom.
The FBI said it’s “coordinating with the city of Atlanta” to get to the bottom of the cyberattack, the report said.
“Ransomware can be devastating to anyone but when it hits city, government, or hospital servers it can affects hundreds or thousands of people,” said Lamar Bailey, director of security research and development at Tripwire, who noted the best defense is implementing foundational controls and practicing base security hygiene. “Running a server is like standing in a room full of people with the flu. If you don’t want to get sick, do basic hygiene like wearing a mask, not eating or drinking after others, and wash your hands. Taking Tamiflu after the fact will help you get better, but it is still going to suck for several days.”
But once an attack occurs “there are only a few options to pay the ransom which may or may not work, including restore from a backup, or rebuild the system,” Bailey said. “The restore option is generally the quickest and easiest way to get things running again, but if the restore image is not clean, it could happen all over again.”