On Thursday, March 22 at 5:40 a.m., Atlanta city officials learned of a ransomware attack on many of the city’s customer-facing applications. Several sites affected dealt with paying bills and accessing court-related information.
After five days, the city finally gave the go ahead for employees to turn their computers back on. But many officials call this attack a changing point for cybersecurity, as software is becoming more advanced.
Ransomware is a newer type of cyber attack, which disables systems until a ransom is paid to get it back, said Dave Schroeder, technology and cybersecurity strategist for the University of Wisconsin Division of Information Technology.
In Atlanta’s case, the ransomware was known as “SamSam” and instead of gaining access through phishing, it looks for vulnerabilities in web sites and other internet services open to the public. This makes it especially dangerous for municipalities which are unprotected, Schroeder said.
“There is generally no way to recover data from this kind of attack without knowing the decryption key, which the attackers will only provide if the ransom is paid, or by recovering systems from backups,” Schroeder said. “Even with good backups, this can be a painstaking and time-consuming process. Often the ransom amounts may not seem large by US standards, but could represent a windfall for attackers operating in other parts of the world. The attackers usually demand the ransom be paid using cryptocurrencies like Bitcoin.”
Kohl Center will implement metal detectors to increase security
These ransomware attacks are becoming more common and could be a threat to any city, including Madison, Schroeder said.
Organizations which invest in technical capabilities to protect and back up their systems, as well as spend time educating their staff about how to protect themselves and their networks online, are the most secure from any kind of attack. But no organization is completely immune and a determined attacker can often find a way in, Schroeder said.
“This kind of attack could happen anywhere,” Schroeder said. “Any city service that depends on computers could be impacted, from the water utility to police and fire service to the Madison schools. These kinds of attacks can impact an entire city’s population, with days to weeks to fully recover. This is why it is really incumbent on any organization to recognize that while good cybersecurity policies and practices cost money to implement, they can save even more money in the long run.”
The FBI and cyber security organizations recommend not negotiating or paying the ransom, as it gives the hackers a motive for continuing their attacks, Schroeder said.
But that is difficult to achieve as hostaged information could contain key information, particularly for a health care organization with patient security in mind, UW chief information security officer Bob Turner said.
Because of the huge potential threat, Turner believes the Atlanta attack means cities need to up their security measures and look ahead to the next generation of cyber attacks. This method can be hard because as technology improves, so do the methods to hack into it to gain money or information.
“The simple fact is anything can be impacted — your Amazon Alexa, building controls, camera systems and your refrigerator — they are all vulnerable to attack because you can do it. Anytime technology improves, there becomes a tactic to cause chaos and mayhem,” Turner said.
The events in Atlanta also have pushed UW to focus on their security to ensure the potential for an attack like this can be minimized, Turner said.
UW has a really complex online presence, with more than 750 networks on their gigabyte backbone, Turner said. This means more protection of the sites and trying to identify the early signs of a hacker before it gets any worse.
“We get the indicators of compromise based on the tools we have and then determine if we have ransomware coming onto the system,” Turner said. “But sometimes it happens so fast you don’t even know it, or sometimes it is a direct load, so if there is a phishing campaign in progress built so people will bite on it, so we are less secured against that.”
While the university has an active program to protect against phishing, they are still heavily dependent on the user, Turner said. When someone clicks on a link sent to their email they don’t know about, it can lead to much bigger problems for the university.
But the addition of SamSam in the cyber world will change the game for security measures and adds another tool to hacker’s tool belt, Turner said.
To protect yourself from a potential attack, Turner said the most secure measure is to make sure you have a full backup of your device. Turner advocated that the best way to store backups is through the “generational son-father-grandfather” method.
“The ‘son’ backup is something that is done every day and is really just data. The ‘father’ backup is done on a weekly or monthly basis, but it also contains not only the data from a greater period of time, but the operating system necessary to rebuild you devise. Finally, the ‘grandfather’ is sitting over at the house far away from the father and son
and is the ultimate full backup, the ‘everything is broke and I need to have a whole new system built’ backup,” Turner said.
But with a changing technological world, nobody can be completely protected, Turner said. The best you can do it to take the necessary precautions for a “what if” scenario.
Turner believes the bottom line is hackers will continue to do whatever they can to make money and municipalities, schools and organizations need to be prepared for the worst.
“They did it in Atlanta and they will do it somewhere else,” Turner said. “They want money and they will do anything to get it. It’s a game, but it’s a really serious game. There is a lot of money to be made in cyber crime and a lot of money to be spent by municipalities that can’t afford the proper defense.”