On March 22nd, the city of Atlanta was hit by a very sophisticated “SamSam” ransomware attack that effectively crippled the government and much of the public services in the state. Citizens in the capital are unable to pay their parking fines or for essential services like water. The police are having to switch to paper reports as digital services have been compromised. These effects lasted for at least 6 days after the initial attack.
The ransomware strain that was used to cripple Atlanta is known as “SamSam.” This type of ransomware is unlike others that rely mainly on phishing scams or methods that rely on the mistakes of an employee. SamSam infiltrates the network by exploiting weak passwords and in an organizations public facing systems, and then uses pre-developed password hacking tools to travel through the network and gain control. SamSam has grown over the years to be a sophisticated and formidable threat that, until now, most governments have yet to take seriously.
SamSam attackers are clever, often moving laterally throughout the network, establishing a good base of attack and identifying the most valuable data, before beginning the encryption in order to avoid detection for as long as possible. Many organizations simply do not have the ability to detect these kind of attacks.
What We’ve Learnt from this Attack
Perhaps most worrying about the attack in Atlanta is the fact that attackers are now targeting cities. In many ways this is becoming an issue of national security. Governments have a responsibility to ensure that they are doing everything in their power to protect the data of their citizens and ensure public services are fully functional at all times.
We’ve also learnt that governments, like many organizations, are unprepared for ransomware attacks in general. Are you able to detect and prevent the spread of ransomware if it were to happen within your systems?
The main thing we have learnt from Atlanta is that attackers are sophisticated, determined and indiscriminate. They will prey on any organization that does not have adequate security controls in place to detect and prevent them. We’re in 2018 now, it’s inexcusable to not have these controls and solutions in place, especially with the renewed focus on being responsible when handling and processing data that the GDPR is bringing to the foreground.
Can you prevent Ransomware Attacks?
In short, there’s no way to guarantee that you will not be affected by a ransomware attack. However, there are certainly some steps you can take to mitigate the risks and prevent an attack from doing too much damage.
1. Education is the key
In many cases, educating your employees on the importance of strong passwords, regular password resets, and the risks of phishing scams, can help prevent a ransomware attack from ever taking place. Ransomware is not an IT problem, it’s a people problem. If people are better able to identify a dodgy email or take greater care protecting passwords, many strains of ransomware will be rendered ineffective.
2. Don’t ignore the updates
I know that those update prompts from antivirus software and other tools installed on your device can be annoying, and it’s very easy to put them off. Don’t. These tools are constantly being tweaked to handle the latest security threats, so keep them up to date!
3. Don’t pay the ransom
We’ve touched on this in other articles. If you pay the ransom, there is no guarantee that you will get access back.
4. Take regular backups
If you are regularly backing up your sensitive files and folders then, should the worst happen, you can easily restore your systems from that earlier backup. Again, it’s a time-consuming process but a necessary one if you want to ensure that you are covered.
5. Implement a solution
Perhaps saving the most important till last. You must ensure that you have a solution in place that audits and monitors the changes taking place to your most sensitive files and folders. Such solutions will be able to give you an indication as to whether a ransomware attack is taking place. LepideAuditor, for example, makes use of threshold alerts to determine whether a large number of changes is occurring over a short period of time (which could indicate files being encrypted). It gives you the option to reverse the changes or to automatically run a user-defined script to shut down the server (or take other remedial action).
With ransomware attacks looking likely to increase in severity and frequency over the coming years, ensure that you are prepared and stay vigilant!