Hard Lessons About Malware

Atlanta Mayor Keisha Lance Bottoms held a press conference yesterday to address the malware attack the city is working through these past few days and how they are working with the Secret Service, FBI, Department of Homeland Security, academic and private institutions to accomplish two things: a forensic investigation into the attack and incident response in order to resolve the impact it has had on the city’s technology infrastructure.

Organizations are all working hard in collaboration to bring Atlanta’s critical systems back online, but affected systems are still encrypted and have been unavailable now for five days. While some critical systems such as police, fire, rescue, 911, water services and airports are operational, again, there is still a tremendous amount of work to be done and some serious lessons to be learned.

The departments still affected include the following:

  • Department of City Planning and Office of Buildings: Processing times are longer than normal.
  • Office of Zoning and Development: Processing times are longer than normal.
  • Office of Housing and Community Development: Office is unavailable to process disbursement requests.
  • Municipal Court: The Department of Corrections has switched to a manual ticketing system for defendants who have been arrested and taken into custody. No “failure to appear” for court will be generated at this time and all cases will be reset.
  • Department of Watershed Management: Online bill payments and in-person bill payments are down.

The Mayor described the experience as: “Bigger than a ransomware attack. This is an attack on our government, which makes it an attack on all of us.” She adds that “what has been attacked is digital infrastructure. As elected officials, we tend to focus on things people see. But we have to make sure that we focus on the things that people can’t see and digital infrastructure is very important.”

No one currently knows how to estimate when all systems will back up and running as expected, yet. Teams are working 24 hours a day, cautiously managing potential burn-out as they go.

They have confirmed that it was SamSam ransomware, a remote attack that compromised their systems, a variant that has cost victims collectively $850,000 since December 2017. According to CSO Online, the city had many services exposed, which likely made it easier for attackers to find a point of entry, including “VPN gateways, FTP servers, and IIS installations.” Many of these were avoidable due to misconfigurations that enabled known security issues.

 

Protect your home and office systems from these types of attacks.

Here are some useful steps to take:

  • Make sure you have regular backups and that those backups are offline and tested from time-to-time to make sure they will work when you need them. Work with your technology team to make sure these critical backups aren’t accessible from the computers that are backed up so that in the event of a ransomware attack, they cannot also encrypt your critical backups.
  • Keep your computers patched for Windows, macOS, Android phones, iOS (iPhones) and any other operating system that you and/or your organizations uses.
  • Make sure your software applications are up-to-date, especially browsers like Firefox, Chrome, and Microsoft Edge and Internet Explorer. If you’re using an out-of-date browser, you are likely putting yourself and your organization at greater risk.
  • Make sure to keep your antivirus up-to-date by regularly updating its virus definitions, regardless of the brand you use. Many of them are free but we recommend using a paid version.
  • Be alert and don’t open attachments without verifying they’re legit. Ask your contacts to send you verifiable links to documents, rather than attachments. This is a new practice that may take a little time to get used to but greatly reduces your risks to attacks.
  • Last but not least – don’t on click links in emails, even if you know and trust the sender. Whenever in doubt, pick up the phone and call them or walk down the hall and ask them to make sure they did indeed send you an attachment or link.

WIMZKL is delighted to help you be pro-active about protecting yourself and your organization from these kinds of attacks but we also often get calls to help clean them up when they happen. In any case, please get in touch for guidance. WIMZKL is at your service.