Welcome back to our Data Breach of the Month series, where we look at a notable cyber incident or data breach from the past month. Sometimes we’ll offer deeper analysis of the latest big breach, and other times we’ll focus on a lesser known incident that has outsized implications for the security industry.
In each case, you’ll learn the type of data breached, the vulnerabilities or gaps that were exploited, and what organizations can do to remediate effectively and address potential root causes.
So without further ado, our breach of the month for March, 2018 is… the ransomware attack that paralyzed the city of Atlanta.
Early in the morning of Thursday, March 22nd, the city of Atlanta was hit with a major ransomware attack that affected at least five out of thirteen municipal departments. It is not yet known if personal data was stolen, but for the purposes of this article we consider all ransomware attacks to be data breaches, because the attackers have access to the data within the systems they compromise.
The ransom was set at around $51,000 in bitcoin, which to date the city has not paid. Over a week later, many systems are still encrypted, and large amounts of data are unlikely to ever be recovered. The impacts of the attack have been felt all over the city. The police department has had to use paper records, the courts have been writing and processing tickets and warrants by hand, and residents have been unable to pay bills to the city. Some services were taken offline as a preventative measure, such as the WiFi at Atlanta’s airport.
How did it Happen?
The attackers used the ransomware variant SamSam, which was first identified in 2015. It is a sophisticated strain of ransomware that exploits vulnerabilities or weak passwords in public-facing systems, and then gains control of the network using tools like Mimikatz, which pulls possible passwords out of the data on a computer. SamSam is especially dangerous because it exploits vulnerabilities in many different systems, and therefore does not require a successful social engineering attack to spread within the network.
Atlanta had undergone a cybersecurity audit in January, which identified multiple severe vulnerabilities. The city had just begun to take action on the recommendations from the audit.
How to Minimize the Risk of this Type of Breach
According to Wired, the best defense against SamSam is following basic security best practices, such as keeping patches up to date, maintaining strong backups, and having a plan in place to manage ransomware attacks.
Building out such a plan, and turning it into a streamlined and consistent procedure, requires tools like D3’s incident response platform. D3 helps implement plans across entire organizations that mitigate the damage of ransomware attacks. D3 combines SIEM data, threat intelligence, and machine learning to quickly detect and assess threats, such as unusual activity on the network. A ransomware attack will trigger a specific playbook that will orchestrate response processes to quickly understand the impact, and take steps toward remediation. D3’s response playbooks eliminate much of the confusion that follows ransomware attacks, by leveraging communication tools to bring Legal into the loop, automatically assign tasks, and share notes between investigators.
As a recent article in the Atlantic pointed out, attacks like this have become commonplace, and businesses of all sizes are just as likely to be targeted as a major city like Atlanta. We hope this article provided you with a few ideas for how you might prepare your organization for this type of attack.
We’ll see you back here next month for a new Breach of the Month.