Destination Atlanta: Ransomware Lessons for Municipalities and Law Enforcement
Benjamin J. Anderson
Ransomware, or the modern-day equivalent of extortion has evolved and transformed into consistently increasing attacks against municipalities and law enforcement, where targeted victims must pay to regain partial or full access to their compromised data, or risk losing the data for non-payment. The rise of ransomware as an attack vector has continued to thrive and appears focused on those municipalities and law enforcement agencies with limited resources and unchecked system vulnerabilities. Of major concern are the evidentiary losses and reduction in consumer confidence within these governmental organizations requiring a new focus and financial expenditures to mitigate these attacks from occurring in the future.
The Success of Ransomware Attacks
The rate at which technology has evolved and continues to be incorporated into all levels of business, government, and Internet of Things (IoT) devices has also increased the reach and impact of cyberattacks, especially with the advent of ransomware. Ransomware more specifically, is a combination of a malware with a financial extortion component that spreads, similar to a trojan through downloadable files or through websites (Holt, Bossler, & Seigfried-Spellar, 2018). The payload of this form of attack however, can also be delivered through a multitude of vectors that include in part, phishing and spear phishing campaigns, weak passwords, infected websites, lax software and patch management, and lateral movements (2018, Mohanta, Hahad, & Velmurugan).
Business email addresses can be obtained easily from various online sites, through social media platforms, and even business cards. Based on the format from one email address and through the targeted identification of administrator-level employees through social media platforms, hackers can begin a combined spam and phishing campaign using malicious links that can download the payload by unsuspecting or untrained personnel once clicked.
To achieve a greater success rate amongst future ransomware attacks against specific organizations, initial assaults could be conducted to soften the intended target through launched malware campaigns with the goal of stealing sensitive data such as passwords, usernames, and even browser data (2018, Mohanta, Hahad, & Velmurugan) that can in turn, effectively be used in later ransomware attacks for financial profit. As Mohanta, Hahad, and Velmurugan also point out, the fallout from some of the recent ransomware attacks revealed that hackers had exploited weak administrative passwords and vulnerabilities of systems, inappropriately managed Windows administrative tools to include Remote Desktop, as well as file infections.
The effects of lateral movement across an organization, or the spread of ransomware from one, to numerous computers within a single network can also significantly increase the effects of ransomware as well as the time and expense for recovery (2018, Mohanta, Hahad, & Velmurugan). Ensuring Systems Administrators maintain separate accounts for business and network access as well as requirements for strong passwords and their management across the organization are crucial components not always followed.
The City of Atlanta’s Brush with Ransomware
In March 2018, City of Atlanta staff identified abnormalities within the city’s network, later identified as a SamSam ransomware attack. Coulombe pointed out that SamSam makes its network and system entry through public-facing networks and protocols including Microsoft systems, Java-based web servers (Hoffman, 2019, February 01), File Transfer Protocol (FTP) servers, and Remote Desktop Protocol (RDP) due to vulnerabilities and weak passwords (Coulombe, 2018, July/August). Holt, Bossler, and Seigfried-Spellar also acknowledged that Symantec, the cybersecurity and services firm found that “more than 75% of websites have unpatched vulnerabilities…allowing individuals to use minimal effort to gain access and manipulate these websites” (2018), which provides ample opportunities for success.
Hoffman’s interview with Sam Curry, the chief security officer at Cybereason revealed that SamSam is a unique ransomware strain used by hackers “to target specific municipalities” while “setting ransoms at amounts many organizations decide to pay” (2019, February 01). Hewitt cautions that “[r]ansomware is pure extortion, whereby the attacker takes control of the victim’s valuable asset, encrypts it, and holds it hostage until a ransom is paid” (2018, February/March), usually in Bitcoin or one of the several other cryptocurrencies.
However, the City of Atlanta settled instead for a strong stance in their handling of the attack, choosing instead not to pay the ransom and bear an exponentially higher tab for cleanup and repair efforts. Further compounding the problem while reducing public trust was the public statement that Mayor Keisha Lance Bottoms made announcing that those customers with personal information within the city’s network from paying bills or with court business should verify and monitor bank accounts to include city employees (Brumback, 2018, March 26) (Axelrod, 2018, March 26).
Hoffman’s interview of Laura Lee, an executive vice president at Circadence detailed that the original ransom was in the neighborhood of “$55,000 in Bitcoin”, but since it was not paid, the costs for “investigation and cleanup” were nearly “$17 million” (2019, February 01). “Making the payment may actually be more cost effective than restoring an entire compromised computer network” (Bonazzo, 2018, March 28) depending on the type, size, and resources of a particular organization.
The costs associated with ransomware however, illustrate the growing and continued problem for potential victims due to the ease at which these attacks continue to occur. Should an organization decide to pay the ransom, the decryption key may or may not be sent, and in some cases, demands for higher ransoms as well as no further communications can occur (Hewitt, 2018, February/March), leaving many wondering how best to approach the subject. An interview with Mark Ray, a former FBI Cybersecurity Investigator by Brumback backs up Hewitt’s assessment.
Through Brumback’s interview, Ray also points out that paying may allow only a portion of the systems to be unlocked, further extorting additional funds to release subsequent components. What was revealing from Ray’s experience was that “an organization’s willingness to pay can make it a target for future attacks (2018, March 26), which can make for slippery slopes in proceeding without defined risk assessments and law enforcement assistance.
Law Enforcement Evidentiary Concerns
With the successfully targeted SamSam attack on the City of Atlanta, many of the city services were reportedly taken offline including portions of the airport, police, courts, and billing for customers. Although it was initially reported that services such as the 911 emergency call center, police, and fire and rescue were not involved in the attack (Bonazzo, 2018, March 28), a later report by Abel indicates that after the dust settled, crucial evidentiary losses actually occurred within the Police Department, specifically (2018, June 05).
According to Abel, the losses that were eventually disclosed by the department revolved around archival dashcam footage with the ability to limit courtroom testimony related to specific cases (2018, June 05). Recently, the Georgia State Patrol, Georgia Capitol Police, and Lawrenceville Police Department were all hit by ransomware attacks where modern communications were affected. Lawrenceville’s attack, in similarity to Atlanta, also had much of the department data including dashcam footage compromised (Robek, 2019, July 29).
With the transition by the majority of the Nation’s law enforcement to dash cameras along with body-worn units, the evidentiary use of this footage to provide a firsthand account from the officer’s perspective during a chaotic event or investigation has dramatically increased and become a crucial component in court proceedings. Because camera footage allows both judge and jury to witness events as they unfolded, the value of this evidence provides for stronger cases and a potential focus of attack. What has not been widely discussed however, is the negative consequences of successful attacks on police agencies using ransomware to interrupt, slow, or lead to the dismissal of charges against criminal and high-profile cases.
To further illustrate the potential evidentiary loss is a timely article by Barth in which ransomware has taken a more destructive turn. Barth reported that IBM Security’s X-Force Incident Response and Intelligence Service (IRIS) acknowledged that it had observed “a 200 percent increase in destructive malware attacks over the first half of 2019” (2019, August 08). Although Barth notes that these attacks are typically from nation-state actors, the ability of ransomware to target law enforcement in the removal of crucial information of high evidentiary value should be of concern. Whatever the motive, municipalities and law enforcement agencies must bolster critical networks and systems to prevent data loss and reduced operational capabilities.
Combating Ransomware’s Future in Municipalities
Due to the lucrative success of ransomware and more specifically the SamSam strain in the targeting of municipalities, a focus shift in both budgets and industry best practices must occur to limit the reach of future attacks that includes in part, system patch management, training and awareness programs, as well as policy development. “Organizations must ensure that data security is part of their strategic plan (Pullin, 2018, Fall) to ensure operational and business continuity.
An interview of Ryan Kalember, a Senior Vice President at Proofpoint by Brumback illustrates the level of current vulnerabilities inherent at government-level organizations. “Municipalities often struggle with basic software updates and patching because they are frequently short on resources” (2018, March 26). Identifying and hiring the necessary resources in addition to utilizing available National Institute of Standards and Technology (NIST) and International Organization for Standardization (ISO) standards and guidance documents should be commonplace to alleviate the potential for attacks and establish base controls.
Another challenge generally facing municipalities and law enforcement agencies is the general lack of knowledge related to information security principles to ensure defined policies and training are in place. “Some employees haven’t been taught how to spot phishing emails meant to trick them into opening ransomware”, which exacerbates the fact that many municipalities have neither developed nor implemented policies related to cyber security initiatives (Bonazzo, 2018, March 28) including training and awareness programs.
Although great strides to prevent phishing attacks have been made over the last decade, attackers continuously adapt and change the approach to fool unsuspecting victims (Iuga, Nurse, & Erola, 2016, June). Many times, it takes a successful attack on one’s home turf before the realization of how vulnerable systems are and where preventative steps should be taken. This often leads to the unplanned expenditure of financial resources for mitigation efforts in already tight budgets.
Valentine describes previous attempts at information security training and awareness programs as a one-size fits-all approach, which has become outdated as “employees and managers continue to fall prey to the same social engineering techniques. The problem is that the traditional employee security awareness model provides a static solution for a fluid problem” (2006). Additionally, “many organizations do not build the education program around the business environment” and where the “[h]uman lack of knowledge, mistakes, and malicious intent are overwhelmingly the cause of most information security incidents and privacy breaches” (Herold, 2010). That is why it is essential that all personnel are provided with the security and privacy knowledge necessary to perform their jobs successfully as well as the tools to identify, measure, and ensure that they understand and follow the requirements.
Further limiting the effectiveness of training and awareness programs is that both public and private companies typically use and deploy an assembly line view of these initiatives to meet internal or external requirements, but often do not measure if any benefits were gained (Valentine, 2006, June). The focus is then moved towards meeting annual training requirements and not necessarily on improvement and awareness initiatives for mitigating threats routinely through a continuous training and awareness model. As threat vectors change, so too should the content and frequency of initiatives that are tailored to meet organizational needs.
Ransomware has and continues to make an impact in both businesses and municipalities due to the level of unmitigated vulnerabilities present in networks and systems as well as untrained staff. While organizations and municipalities often struggle with limited resources for robust controls and routine system maintenance, the utilization of third-party audits for gap assessments while seeking guidance through readily available standards should be evaluated for implementation and improvement initiatives.
One of the ways municipalities can make an immediate impact is through the establishment of continuous training and awareness platforms through either current staffing or with the assistance of industry practitioners using best practices. As the effectiveness of ransomware and other attack vectors continue to evolve where data is maliciously destroyed or services reduced, law enforcement agencies may continue to be targeted in an effort to disrupt high-profile criminal proceedings or events that receive national or international attention. It is then imperative that municipalities plan and budget accordingly to ensure digital information of evidentiary value is protected and where chain of custody requirements are maintained.
Abel, R. (2019, June 05). Atlanta cyberattack destroyed critical police evidence. SC Media. Retrieved from: https://www.scmagazine.com/home/security-news/cybercrime/atlanta-cyberattack-destroyed-critical-police-evidence/
Axelrod, J. (2018, March 26). Ransomware attack causes outages across Atlanta city servers. The American City and County.
Barth, B. (2019, August 08). Destructive malware attacks double as attackers pair ransomware with disk wipers. SC Media. Retrieved from https://www.scmagazine.com/home/security-news/cybercrime/destructive-malware-attacks-double-as-attackers-pair-ransomware-with-disk-wipers/?utm_source=newsletter&utm_medium=email&utm_campaign=SCUS_Newswire_20190812&hmSubId=hxPtYEwVLFQ1&email_hash=83f399dd64c54f49ab73404d211f85c2&mpweb=1325-9621-1116093
Bonazzo, J. (2018, March 28). Atlanta ransomware attack shows cities not prepared for long-term security breaches. The New York Observer.
Brumback, K. (2018, March 26). Atlanta’s computer network hit by cyber attack. Insurance Journal.
Coulombe, R. (2018, July/August). Ransomware prep. Security Technology Executive. 28. 3. 10,16.
Herold, R. (2010). Managing an information security and privacy awareness and training program. CRC Press. 123-144.
Hewitt, C. (2018, February/March). The growing ransomware threat and trends. Security Technology Executive. 28. 46-48.
Holt, T.J., Bossler, A.M., Seigfried-Spellar, K.C. (2018). Cybercrime and digital forensics: An introduction. London and New York: Routledge.
Iuga, C., Nurse, J.R.C., & Erola, A. (2016, June). Baiting the hook: Factors impacting susceptibility to phishing attacks. Human-Centric Computing and Information Sciences. 6. 1-20.
Mohanta, A., Hahad, M., & Velmurugan, K. (2018). Preventing ransomware: Understand, prevent, and remediate ransomware attacks. Birminham, UK: Packt Publishing.
Pullin, D.W. (2018, Fall). Cybersecurity: Positive changes through processes and team culture. Frontiers of Health Services Management. 35. 3-12.
Ropek, L. (2019, July 29). Georgia public safety agency hit with ransomware attack. Government Technology.
Valentine, J. A. (2006). Enhancing the employee security awareness model. Computer Fraud and Security. 2006. 17-19.