In the past few days the City of Atlanta has been hit with a ransomware attack. Several major computer systems that provide city services have been encrypted by an attacker. The attacker is demanding $51,000 worth of bitcoin to decrypt the systems, and the city has not yet ruled out paying the ransom. The attack occurred five days ago, and as of this writing, the systems remain inaccessible.
Yesterday, Mayor Keisha Lance Bottoms held a press conference to chat about the problem. So far the mayor and her team seem to be doing a great job of putting together a coordinated and multipronged response to deal with the incident.
What struck me about the conference is that it was the kind of conference a city holds when dealing with a physical disaster. The mayor actually described it as a “hostage situation” towards the end of the conference. This is the tangible impact of a cyber attack on a local government.
The City of Atlanta is working with the Secret Service, FBI, Department of Homeland Security and academic and private institutions, including Georgia Tech and SecureWorks. They have completed the investigation and containment phase of the incident response and have moved on to the restoration phase where they work to bring critical systems back online, but at this time the affected systems are still encrypted.
Many of Atlanta’s systems have now been down for five days, though critical systems such as police, fire, rescue, 911, water services and airports are operational and continue without interruption. The departments affected include:
- Department of City Planning and Office of Buildings: Processing times are longer than normal.
- Office of Zoning and Development: Processing times are longer than normal.
- Office of Housing and Community Development: Office is unavailable to process disbursement requests.
- Municipal Court: The Department of Corrections has switched to a manual ticketing system for defendants who have been arrested and taken into custody. No “failure to appear” for court will be generated at this time and all cases will be reset.
- Department of Watershed Management: Online bill payments and in-person bill payments are down.
Mayor Bottoms has described this as: “Bigger than a ransomware attack. This is an attack on our government, which makes it an attack on all of us.” She goes on to say that “what has been attacked is digital infrastructure. As elected officials, we tend to focus on things people see. But we have to make sure that we focus on the things that people can’t see and digital infrastructure is very important.”
The city does not currently have a time estimate for when they will get all of their systems back up and running. They are working around the clock, and they are actually concerned that some of the team that has responded to this incident may burn themselves out, so they are managing that aspect of the task, too.
They have confirmed that it was a remote attack that compromised their systems. The city was reportedly hit by the SamSam ransomware. This ransomware variant has made the attackers $850,000 since December 2017. According to CSO Online, the city had many services exposed to the public, which could have provided an attacker with a point of entry, including “VPN gateways, FTP servers, and IIS installations.” Many services had SMBv1 enabled, which has known security issues.
One thing I found interesting about the mayor’s comments was an analogy she used. She uses as an example an old truck she had. She didn’t think she had to replace it until she was in a wreck. And then she had to replace it. Her analogy makes it clear that the city should have updated their security posture before this incident occurred, and now that it has occurred, they are forced to take action to resolve the issue and secure their systems going forward, but at great cost and inconvenience.
I think this is a valuable lesson, and something that WordPress site owners should take to heart. It is important to be proactive when it comes to securing your systems and educating yourself about cybersecurity. Don’t wait until you get hacked before you take action. If you have a WordPress website, install a malware scanner and firewall like Wordfence and use our blog, learning center and Wordfence documentation to empower yourself and secure your website. We have also written about ransomware as an emerging threat to WordPress in the past.
Ransomware mainly targets desktop systems. To protect your home or office systems from a ransomware attack, take the following steps:
- Ensure you have regular backups and that those backups are offline. They must not be accessible from the workstation that is being backed up to ensure that ransomware cannot also encrypt your backups when you get infected.
- Install the latest security patches for Windows, OSX, Android, iPhone and any other operating system that you use. Along with backups, this is the most effective thing you can do to protect yourself.
- Install any application updates, especially browser updates. Make sure you are not running an old vulnerable browser, or else simply visiting a compromised website can infect you.
- Install a desktop antivirus solution and ensure it has updated virus signatures, or alternatively, enable Windows Defender, which is free.
- Do not open attachments or dowloaded files from untrusted sources. Avoid using file attachments completely if you can, and use cloud services like Google Docs instead.
- Do not click links in emails from people you do not trust.
Bringing Cybersecurity Education to Atlanta in April
WordCamp is a WordPress conference that happens in cities around the world throughout the year. WordCamp Atlanta will be held April 13-15, 2018. Our team will be there, and we will be hosting a unique event to help participants learn more about WordPress security and cybersecurity in general.
Our team will be hosting a ‘Capture The Flag’ or CTF event at WordCamp Atlanta. A CTF is a contest where participants have to complete a series of challenges to capture ‘flags’. The challenges range from completing a technical task to solving a puzzle to hacking into a system. CTF’s are designed to teach participants how to secure computer systems better. They get participants to think like a hacker, and in doing so, participants learn how to better defend against attacks.
As far as I know, this is the first time that a CTF is going to be held at a WordCamp. These events are usually found at hacker conferences like DefCon and BSides. The CTF that we are hosting has been created by our top security researchers and is focused around WordPress security. We will also have five of our team members there to help you get started and to chat with you about security, including several senior Wordfence developers.
If you are just starting out in WordPress or security, don’t panic! Our team has worked hard to make sure that this CTF has something for everyone. So visit us at our booth at WordCamp Atlanta and we’ll help you get set up and capturing your first flags in no time at all! You may even win a prize or two!
Our top prize for the contest is a PlayStation 4 with full Virtual Reality setup, including a headset, motion controllers and a VR game. We also have a ton of other prizes I think you’ll really like. If you can make it to WordCamp Atlanta this year to participate, I highly recommend you give the CTF contest a shot. Not only do you have the chance of winning an amazing prize, but participating in the CTF will empower you to secure WordPress and your websites.
If you don’t have a ticket for WordCamp Atlanta yet, I suggest you buy one now if you plan to attend. At the time of writing there were only 87 tickets left, and those will probably go quickly. You can purchase your ticket here. When you arrive, make sure you come over and visit us at our booth and we’ll help you get set up to participate in the CTF.
If you can’t make it to WordCamp Atlanta, don’t despair. We will be hosting future events, and will let you know about them via our blog.
The post PSA: Lessons From The Atlanta Ransomware Situation appeared first on Wordfence.