Atlanta After Ransomware Attack: Please Restart Your PC


Ladies and gentlemen, please restart your PCs and printers.

Employees of the city of Atlanta met that missive when they arrived at work on Tuesday. It followed a Thursday ransomware outbreak that appeared to have begun on a city server and spread to at least seven other systems.

"The city of Atlanta is advising its employees to turn on computers and printers for the first time since the March 22 cyberattack," the city says in a Tuesday statement.

"It is expected that some computers will operate as usual and employees will return to normal use," the statement adds. "It is also expected that some computers may be affected or affected in some way and employees will continue using manual or alternative processes. This is part of the city's ongoing assessment as part of the restoration and recovery process."

As a result of the outbreak, the city on Thursday warned its 8,000 employees to step away from their PCs while it worked to clean and restore all affected PCs and servers (see Atlanta Ransomware Attack Freezes City Business).

Five days later, however, the city said that many systems - including email, Oracle financial software, Siebel customer relationship management applications and Accela "civic engagement" software - had been restored. A self-service portal for residents running Capricorn software, however, remains offline. As a result, residents cannot pay their water bills or for parking tickets. Atlanta's airport WiFi also remains offline, taken down in the aftermath of the outbreak "out of an abundance of caution," according to city officials.

After the infection, the city said it planned to restore affected systems from backups, and said it was reviewing whether any personal, financial or employee information was compromised.

Multiple news reports have suggested that the city was hit with SamSam. Cisco's Talos security group says that SamSam attacks tend to be opportunistic rather than highly targeted.

Atlanta hasn't said how it was breached or how the ransomware spread. Researchers say most opportunistic ransomware attacks tend to be distributed via spear-phishing emails.

Enterprising attackers can also test for default credentials or purchase stolen remote desktop protocol credentials from cybercrime shops, giving them reliable ways of gaining remote access to a network, which they can leverage for many different types of crime - not just deploying crypto-locking malware.

Security experts say that a ransomware outbreak at an organization may only be the last stage of an attack, following attackers having studied networks and attempted to steal any data that they might be able to sell (see Hackers Exploit Weak Remote Desktop Protocol Credentials).

The city says it's working with everyone from Microsoft and Cisco to the U.S. Department of Homeland Security and Secret Service to SecureWorks and Georgia Tech to help it investigate the incident.

City's Security Problems Persist

For the city of Atlanta, however, beyond the possibility that an employee fell for a phishing attack, there were numerous problems that an attacker might have exploited to gain access to its systems. Information security researcher Kevin Beaumont counts leaving remote desktop protocol - port 3389 - as well as server messaging block - port 445 - open to the internet as just two of them.

Robert Graham, head of offensive security research firm Errata Security, says Atlanta's ransomware outbreak should serve as a wake-up call to all cities - as well as all municipal, county and state governments. But he says it's likely that they'll miss the point.

"They'll misinterpret what happens here. They frequently get individual desktops infected with ransomware, so they falsely believe they are on top of the situation. What happened in Atlanta is a wholly different attack, where ransomware spread to the servers," Graham says via Twitter.

Asking how the ransomware got into the network is the wrong question, Graham adds.

"The question they should be asking is, once inside, how it spread. It spread because it got 'admin' credentials," he says. "The SamSam ransomware is notorious for this. It aggressively looks for admin credentials on any system it effects and uses them to spread to other systems on the local network."

Graham says that "no sane organization" would have exposed port 445 to the internet. Until the city's IT staff deals with these types of basic information security failures, it remains at risk of becoming a repeat ransomware victim.

"Atlanta's flaw is failing to do the very basics," Graham says.