PSA: Lessons From The Atlanta Ransomware Situation

In the past few days the City of Atlanta has been hit with a ransomware attack. Several major computer systems that provide city services have been encrypted by an attacker. The attacker is demanding $51,000 worth of bitcoin to decrypt the systems, and the city has not yet ruled out paying the ransom. The attack occurred five days ago, and as of this writing, the systems remain inaccessible.

Yesterday, Mayor Keisha Lance Bottoms held a press conference to chat about the problem.  So far the mayor and her team seem to be doing a great job of putting together a coordinated and multipronged response to deal with the incident.

What struck me about the conference is that it was the kind of conference a city holds when dealing with a physical disaster. The mayor actually described it as a “hostage situation” towards the end of the conference. This is the tangible impact of a cyber attack on a local government.

The City of Atlanta is working with the Secret Service, FBI, Department of Homeland Security and academic and private institutions, including Georgia Tech and SecureWorks. They have completed the investigation and containment phase of the incident response and have moved on to the restoration phase where they work to bring critical systems back online, but at this time the affected systems are still encrypted.

Many of Atlanta’s systems have now been down for five days, though critical systems such as police, fire, rescue, 911, water services and airports are operational and continue without interruption. The departments affected include:

  • Department of City Planning and Office of Buildings: Processing times are longer than normal.
  • Office of Zoning and Development: Processing times are longer than normal.
  • Office of Housing and Community Development: Office is unavailable to process disbursement requests.
  • Municipal Court: The Department of Corrections has switched to a manual ticketing system for defendants who have been arrested and taken into custody. No “failure to appear” for court will be generated at this time and all cases will be reset.
  • Department of Watershed Management: Online bill payments and in-person bill payments are down.

Mayor Bottoms has described this as: “Bigger than a ransomware attack. This is an attack on our government, which makes it an attack on all of us.” She goes on to say that “what has been attacked is digital infrastructure. As elected officials, we tend to focus on things people see. But we have to make sure that we focus on the things that people can’t see and digital infrastructure is very important.”

The city does not currently have a time estimate for when they will get all of their systems back up and running. They are working around the clock, and they are actually concerned that some of the team that has responded to this incident may burn themselves out, so they are managing that aspect of the task, too.

They have confirmed that it was a remote attack that compromised their systems. The city was reportedly hit by the SamSam ransomware. This ransomware variant has made the attackers $850,000 since December 2017. According to CSO Online, the city had many services exposed to the public, which could have provided an attacker with a point of entry, including “VPN gateways, FTP servers, and IIS installations.” Many services had SMBv1 enabled, which has known security issues.

One thing I found interesting about the mayor’s comments was an analogy she used. She uses as an example an old truck she had. She didn’t think she had to replace it until she was in a wreck. And then she had to replace it. Her analogy makes it clear that the city should have updated their security posture before this incident occurred, and now that it has occurred, they are forced to take action to resolve the issue and secure their systems going forward, but at great cost and inconvenience.

I think this is a valuable lesson, and something that WordPress site owners should take to heart. It is important to be proactive when it comes to securing your systems and educating yourself about cybersecurity. Don’t wait until you get hacked before you take action. If you have a WordPress website, install a malware scanner and firewall like Wordfence and use our blog, learning center and Wordfence documentation to empower yourself and secure your website. We have also written about ransomware as an emerging threat to WordPress in the past.

Ransomware mainly targets desktop systems. To protect your home or office systems from a ransomware attack, take the following steps:

  • Ensure you have regular backups and that those backups are offline. They must not be accessible from the workstation that is being backed up to ensure that ransomware cannot also encrypt your backups when you get infected.
  • Install the latest security patches for Windows, OSX, Android, iPhone and any other operating system that you use. Along with backups, this is the most effective thing you can do to protect yourself.
  • Install any application updates, especially browser updates. Make sure you are not running an old vulnerable browser, or else simply visiting a compromised website can infect you.
  • Install a desktop antivirus solution and ensure it has updated virus signatures, or alternatively, enable Windows Defender, which is free.
  • Do not open attachments or dowloaded files from untrusted sources. Avoid using file attachments completely if you can, and use cloud services like Google Docs instead.
  • Do not click links in emails from people you do not trust. 

Bringing Cybersecurity Education to Atlanta in April

WordCamp is a WordPress conference that happens in cities around the world throughout the year. WordCamp Atlanta will be held April 13-15, 2018. Our team will be there, and we will be hosting a unique event to help participants learn more about WordPress security and cybersecurity in general.

Our team will be hosting a ‘Capture The Flag’ or CTF event at WordCamp Atlanta. A CTF is a contest where participants have to complete a series of challenges to capture ‘flags’. The challenges range from completing a technical task to solving a puzzle to hacking into a system. CTF’s are designed to teach participants how to secure computer systems better. They get participants to think like a hacker, and in doing so, participants learn how to better defend against attacks.

As far as I know, this is the first time that a CTF is going to be held at a WordCamp. These events are usually found at hacker conferences like DefCon and BSides. The CTF that we are hosting has been created by our top security researchers and is focused around WordPress security. We will also have five of our team members there to help you get started and to chat with you about security, including several senior Wordfence developers.

If you are just starting out in WordPress or security, don’t panic! Our team has worked hard to make sure that this CTF has something for everyone. So visit us at our booth at WordCamp Atlanta and we’ll help you get set up and capturing your first flags in no time at all! You may even win a prize or two!

Our top prize for the contest is a PlayStation 4 with full Virtual Reality setup, including a headset, motion controllers and a VR game. We also have a ton of other prizes I think you’ll really like. If you can make it to WordCamp Atlanta this year to participate, I highly recommend you give the CTF contest a shot. Not only do you have the chance of winning an amazing prize, but participating in the CTF will empower you to secure WordPress and your websites.

If you don’t have a ticket for WordCamp Atlanta yet, I suggest you buy one now if you plan to attend. At the time of writing there were only 87 tickets left, and those will probably go quickly. You can purchase your ticket here. When you arrive, make sure you come over and visit us at our booth and we’ll help you get set up to participate in the CTF.

If you can’t make it to WordCamp Atlanta, don’t despair. We will be hosting future events, and will let you know about them via our blog.

Did you enjoy this post? Share it!

Comments

11 Comments
  • Thanks for posting this article. I was wondering more about this attack. Our most important asset against this type of attack is still our employees, that is for sure.

  • Very good advice. We tend to think it will or cannot happen to us. A family member of mine's office desktop was compromised with Ransomware as well as my wife's laptop via an email link. In both cases the most important data could be recovered because of backups on other computers or external hard drives.

    I have various web sites and cannot afford to run them without backups. So far Wordfence also did an immaculate job in keeping them safe and protected – thanks and keep it up.

  • I think the last bullet point "Do not click links in emails from people you do not trust." could be more helpful. Many times malicious links are served from spoofed emails that look like they are coming from someone that people DO trust...and so they click on them with barely a second thought. Better to not click on links no matter who they appear to be from unless a) you are expecting them from that person, or b) you have verified with that person first that they actually sent them.

  • I agree 100% EXCEPT for one point. This one "Do not click links in emails from people you do not trust. "

    Just last week I received an email from a very close friend who is a realtor. In the email, it stays: "Hope you are doing well. When I found this I thought of you {LINK}"

    Being a developer I instantly knew the link was to a malware source. If I was my mother, or someone who is not big into I.T. most likely would have clicked that link.

    However, it's hard to say not to click this link as it's from a truly close friend. And, if the link looked close to a reputable company but was a phishing scheme it's hard to tell someone that is not into I.T. that they shouldn't click that link.

    Thoughts???

    • Absolutely. What we meant was: as a rule, you don't want to download things from people you don't know, and to of course use your best judgment and common sense with links and downloads from trusted sources.

  • Any chance the CTF will be made available to remote participants? :)

    • We don't have any announcement at this time.

  • One day I saw notifications that one of my cloud-based folders was experiencing files changing. I looked there and the files were being turned into some file format I never heard of before. I copied a set to my desktop and deleted that folder off the cloud server. They were definitely ransomware files and had the message.

    Sorry. I win.

    It was a folder that was being shared with a number of school teachers on their servers. I assume it was coming through that channel. I'll never know if it could have spread into my cloud folders or not since I was fortunate enough to see it start happening and stop it from spreading.

    And because I had backups, I was able to create a new folder and resend share links to the other people and get back to "normal".

  • So are you're telling us that the City of Atlanta IT staff didn't have a robust backup system in place?

    They wouldn't want me in charge, because none of them would have jobs if that were the case. Simply inexcusable in this day and age not to have some sort of IT disaster management plan.

    I inadvertently released a ransomware virus in 2015 late one morning. We lost about 4 business hours of work across the company group because everything was backed up. The repository is networked but on a different subnet so was clean. We copy the backup data to USB HDD as a CRON job and this is taken offsite daily. We rotate these offsite drives on a 3 day basis.

    1 1/2 business days later we were back online.

  • Nice analysis. If I might add one word of caution to people (using Wordpress)
    * Please take the utmost care which plugins you install. Any and all code in the plugin will execute on your webserver. That includes malicous code.
    * Over the last year a number of plugins have been sold, resulting in backdoors and other unwanted code. This code subsequently ran on any and all Wordpress installations where the plugins were active.
    * At this time there is no real way for a Wordpress admin to find if and or when a plugin is sold and possibly suspect. I intend to launch a tool for this purpose soon.

  • Is the tool done yet?