NEWS ANALYSIS: The attack in Atlanta is only the latest in a series of similar ransomware attacks that have crippled medical facilities, city governments and other critical institutions.
The ransomware that has taken out many of the computers in the Atlanta, Ga. is well known by security researchers as the SamSam malware. It appears to be run by a single group of bad actors who use a common Bitcoin wallet and who are very effective at convincing their victims to pay up.
“SamSam is a ransomware controlled by a single threat group,” explained Keith Jarvis, a researcher with Secureworks Counter Threat Unit. “It’s unlike other ransomware that’s out there.” What makes SamSam different is in the way the attacks develop.
According to Jarvis, the attackers scan for open ports, typically a Windows RDP (Remote Desktop Protocol) port, and then apply a brute force attack until they get in. A brute force attack means that they’ll constantly hit the port with credentials until one works. Once they succeed, they’re inside the system.
Once inside, they’ll examine the target network looking for important assets, such as servers containing significant data. “Once they’ve identified important assets they deploy ransomware to those specific machines,” Jarvis said.
Eugene Weiss, head of content security intelligence engineering for Barracuda Networks, explained what happens next. The SamSam malware looks for certain critical files. It encrypts them with AES 256-bit encryption, and asks for a Bitcoin to be sent to a Bitcoin wallet.”
Weiss said that there’s no guarantee that the SamSam threat actors will actually go through with their offer to decrypt the files once they’ve received their Bitcoins, but they may. Jarvis said that this particular set of threat actors will typically demonstrate that they are have control of critical files by decrypting a few of them.
Jarvis said that the attackers in the Atlanta case are asking for six Bitcoins, which comes out to about $51,000.00. But that could change once the victim indicates a willingness to pay. “Sometimes this actor will renegotiate the ransom even higher,” he said.
So far, it seems, the attacker running the SamSam ransomware have been decrypting the servers they’ve attacked after they’ve been paid. From their viewpoint this is important, because if they get the reputation of refusing to do so, nobody will pay the ransom.
The attackers only seem to be after the ransom. “We’ve never found any evidence that they’re interested in stealing any data,” Jarvis said. “Their MO is exclusively to get in there and spread ransomware.”
Atlanta city officials haven’t indicated whether they’re planning to pay the ransom, or try to regain control of their data systems without doing so. In Atlanta’s case, however, they appear to be in good position to recover.
According to reports from Atlanta, the city’s IT department had been careful in backing up their critical data. Furthermore the city has moved much of their critical services to the cloud. The city’s network also appears to have been properly segmented, so public safety and the airport were not affected.
So how did this happen? According to Sam Elliott, director of security product management with remote security services provider Bomgar in Atlanta, said it’s apparent that ‘there’s some pretty bad hygiene of open ports there,” he said. “What probably caused this is a port that should not have been open.”
Elliott said that there are indications that it was probably an public facing RDP port, although he said it could also have been an SMB port. He said that finding such ports is relatively easy using the Shodan network browser. Elliott said that what typically happens is that a port is opened for a specific purpose, such as for a support call, and then left open because someone forgot to close it.
Jarvis said that right now the city’s IT folks are deciding on the approach to take. “They’re going through the calculus of ‘can we recover’ without having to pay the ransom.”
Whether they can depends on whether the backups are saved properly. If they can, then they don’t need to pay the ransom. “If they backed up their data, that’s the only way to recover from a ransomware attack,” Weiss said.
Once the city recovers from the ransomware attack, the next step is what to do to keep it from happening again. Here’s what Jarvis recommends:
Turn off RDP. It should never be used on any public facing port and its use should be discouraged anywhere else on a network. Turn on two-factor authentication. Brute force credential attacks won’t work if two-factor authentication is in place. Perform regular audits of your external network for open remote access ports. You can use the Shodan browser for this. Have robust credentials. Weak credentials make a break-in easier and faster. Use whitelisting. That means keep a list of the sites on the internet where users are allowed to go, and a list of what sites can have access to your network.
Weiss adds a couple more suggestions:
Never allow Windows shares on the public network. Patch religiously. While you need to confirm that a patch will work, it’s critical to apply it promptly. The practice of delaying patches for months or forever is certain to cause problems. Finally, train your employees to recognize threats such as phishing emails. “It’s time that anyone who touches a computer ought to be trained about social engineering,” he said.
Following security best practices will help most organizations avoid ransomware, but those practices have to be more than just lip service.
Wayne Rash is a freelance writer and editor with a 35 year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He covers Washington and…