Atlanta City Government Systems Down Due To Ransomware Attack

An anonymous reader quotes a report from Ars Technica: The city of Atlanta government has apparently become the victim of a ransomware attack. The city's official Twitter account announced that the city government "is currently experiencing outages on various customer facing applications, including some that customers may use to pay bills or access court-related information." According to a report from Atlanta NBC affiliate WXIA, a city employee sent the station a screen shot of a ransomware message demanding a payment of $6,800 to unlock each computer or $51,000 to provide all the keys for affected systems. Employees received emails from the city's information technology department instructing them to unplug their computers if they noticed anything suspicious. An internal email shared with WXIA said that the internal systems affected include the city's payroll application. "At this time, our Atlanta Information Management team is working diligently with support from Microsoft to resolve the issue," a city spokesperson told Ars. "We are confident that our team of technology professionals will be able to restore applications soon." The city's primary website remains online, and the city government will continue to post updates there, the spokesperson added.

Working "with" microsoft presumably to "mitigate"

So they haven't switched to Malware 10 then?

$51K to restore all of the city's computers?

pay it

let someone else take the high road

Re:$51K to restore all of the city's computers?

[WolfgangVL]

WTF.

They might not even decrypt anyway.

Just restore from your excellent backups. Everybody loses a day of productivity, and the courts should have paper records anyway.

Re: $51K to restore all of the city's computers?

[guruevi]

Only like 10-50% success rate with an average number paid about twice that amount. It's not worth the gamble.

Restore from backup and start using remote Linux sessions for your important data.

Re:$51K to restore all of the city's computers?

You, sir, are an idiot.

Re:$51K to restore all of the city's computers?

[Artagel]

Courts do not routinely have paper records these days. The federal courts have been electronic since 2004, starting with one court docket in 1996. Illinois, for example, has been mandatory since 2016. Georgia has some e-filing in its courts. Courts simply do not have the space to store the paper any more.

Re:$51K to restore all of the city's computers?

You're correct when you say they might not decrypt. That said, a few points:

1.) Many people doesn't understand that their desktop is not part of what is covered by the backup system. Usually, the level of understanding is inversely related to the importance of the data they work with.
2.) Many people will deliberately store important files outside of what is covered by the backup system. Usually, the likely hood of intentionally bypassing backups is inversely proportional to the importance of the data they work with.
3.) Many people will avoid using company supported systems such as Sage, Great Plains, Outlook/Exchange scheduling, *SharePoint setup in favor of their own home-grown Excel monstrosities. It is absurd the lengths many people will go to avoid working with shared systems. They do this because it doesn't work to their tunnel visioned personal requirements or because the system honestly and objectively sucks, or something in between. Maybe they don't have time to learn how to do thing a new way that will save time. They don't have time to learn because they waste so much time doing things the hard way.
4.) A person who lets the infection inside the castle walls is NOT going to report it out of fear for their job.

People do these things because they believe they are easier, as a means of control and as a way to create job security. Most people are loyal to friends and family but not to customers or their employers. The loyalty shown to customers and employers is because it is required in return to the thing they ARE loyal to: the paycheck.

Yes, assuming the servers have good backups, restore and move on. Most backup systems aren't excellent because they can't quantify if or to what extent they are or can account for points 1, 2, 3 and 4. What if the ransomware was time-bombed so your backups are also messed up. How far back do you need to go? How far CAN you go back in time? Either way, you still have to deal with points 1, 2, 3 and 4.

'Restoring the servers and moving on' completely ignores the human factor. Ransomware, scareware, fishing, whaling and most other successful techniques leverage human factor - they turn off the thinking, logical brain and turn on the fight or flight lizard brain.

*SharePoint was used as an example only because the name is recognizable. In no way was referencing it meant to suggest it is actually increases productivity by providing easier collaboration between coworkers, simplification of workflows, or increased efficiency of information sharing.

Re:$51K to restore all of the city's computers?

[jezwel]

SharePoint was used as an example only because the name is recognizable. In no way was referencing it meant to suggest it is actually increases productivity by providing easier collaboration between coworkers, simplification of workflows, or increased efficiency of information sharing.

Wait what? We're moving our Lotus Notes applications to SharePoint!
Noooooooooooo

Re:$51K to restore all of the city's computers?

In situations like the aforementioned city government offices, points 1 to 3 are addressed by complete lockdown of local workstations. First the workstations run a virtual machine image of the locked down operating system with the approved configuration and no access to local disks. All reads and writes are from and to secured offsite servers and only by approved programs. No installation of any new applications and only approved applications can run. If somehow a new application is installed, it's wiped at closing time when the virtual machine image is reset back to the initial state in preparation for the next day's business.

Re:$51K to restore all of the city's computers?

[kilodelta]

Well if you're doing it right you just have their My Documents or Documents folder pointed at a file server. But that opens up its own can of worms.

Re:$51K to restore all of the city's computers?

[kilodelta]

When I worked for the RI Sec of State - our public computers ran a Linux distro that wiped on shut down.

Re:$51K to restore all of the city's computers?

[Registered+Coward+v2]

Well if you're doing it right you just have their My Documents or Documents folder pointed at a file server. But that opens up its own can of worms.

Yup. For example, the first time someone takes their computer home and doesn't log not the network they panic that all their files are gone. The fix: Save everything to the desktop.

Network goes down. Solution: Save everything to the desktop

The solution isn't technical, even though that is the approach often taken. The problem is that users do not understand how backups work, how to access networks remotely, etc.; and organization do not want to spend money to actually train them as well as come up with a backup solution that actually works. Users just want to get work done and don't care where and how stuff is backed up, as long as it doesn't make their life harder when using the computer.

The lack of training goes beyond backups. I've helped friends by showing them how tehy can add page numbers to documents rather than number them one page at a time; showed them how you can merge an Excel file into Word so that it fills out the appropriate sections instead of cutting and pasting one cell at a time, etc. One person didn't even realize they could save document under a different name. Some simple things, others not so simple; but all point to a failure to realize where a problem exists. It's easy to say "they can learn" but the reality is people will find one way to do a task and continue to do it that way even if it is painful.

Sometimes you can see the train wreck coming. I was working with a company that was installing a brand new financial system. When I laid out the training requirements (which were a lot because there would be entirely new screens, process, old ways to fix errors would no longer work, changes in access, etc.) I got "We don't need all of that. It's still a facial system so it should only take a couple of hours to learn. Oh, and by the way, the help desk won't be ready by go live." I ran away as fast as I could. Last I heard they abandoned the project after much time, money and effort and the IT head got canned.

Re:$51K to restore all of the city's computers?

Yes, assuming the servers have good backups, restore and move on. Most backup systems aren't excellent because they can't quantify if or to what extent they are or can account for points 1, 2, 3 and 4. What if the ransomware was time-bombed so your backups are also messed up.

That's why you back up "data" not software. The encryption program shouldn't be saved inside data because data shouldn't be runnable/executable.

Re:$51K to restore all of the city's computers?

Exactly, and if they don't for whatever reason have good backups, then several people need to be walked to the door. For a fair amount less than $51,000 a world class backup solution for hundreds of servers and workstations (everything that matters should be server side anyway and just reimage the workstations) can be put in place.

Microsoft will charge more... with less result

[JcMorin]

I'm pretty Microsoft will charge more AND some data will be lost on many many computers. I don't think they have full disk backup on every computer, plus all the time wasted before everything is back online.

Re:Microsoft will charge more... with less result

[kilodelta]

Well the way it works in state government is mostly no AD or servers for file store. At least from my experience.

Someone messed up big time

Misconfigured group policy and AD privileges leading to one infectee having the ability to encrypt everyone on the network. What are the odds they even have backups for these systems?

Re:Someone messed up big time

Backups? Sounds expensive. We don't have money in the budget for that.

Re: Someone messed up big time

[guruevi]

More like: we don't need that, our $750,000 isilons have everything replicated.

Followed by: we don't see the need for backup storage within our organization, we built 5 systems in the last few years and nobody uses it.

Re: Someone messed up big time

[Archangel+Michael]

The pain point for ransomware is low enough that enough people pay it rather than restore from backup and/or try to recover via other means (including re-imaging).

And if you haven't had a full restore test of all critical systems, then you're already playing with fire. Nobody Ain't Got Time For That (tm) is the normal response.

I have a saying ... "Good IT is expensive. Bad IT is costly"*. If they lose more than a day's productivity on their compromised systems, they need to just pay the ransom, and learn the expensive lesson.

*This may or may not be the fault of IT. I've been in IT long enough to see IT make recommendations that are denied because "they are expensive" and I've seen bad IT. I always use risk / reward when outlining IT infrastructure costs. Sometimes the calculus is "if bad shit happens, we'll eat it".

Re: Someone messed up big time

Bad advice. *NEVER* pay the ransom. Haven't you heard of Danegeld?

Re:Someone messed up big time

[R3d+M3rcury]

Or, "We don't need backups--we have RAID 1."

Re: Someone messed up big time

[HiThere]

The problem with that analysis is that some people will pay it, and that attacks aren't individually targeted.

OTOH, reports are that half the time they don't send the decryption key anyway.

Re: Someone messed up big time

[kilodelta]

Well some I.T. people can do the "You can pay this or you can pay that" pretty well. I got really good at making comparisons in cost over my career.

Russians

Wikipedia reporting that Russians were behind this attack but it has since been censored by russian bots. See the history page:
https://en.wikipedia.org/w/index.php?title=Portal:Current_events/2018_March_22&action=history

Re:Russians

[HiThere]

Why would you believe Wikipedia on something like this?? On things that aren't emotional, they can be alright, though even there they have the reputation of censoring expert opinions in favor of someone else, or just deciding the entire topic isn't interesting enough.

Dear ransomware folks

[Snotnose]

Can you do the same for the state of California? kthxbye

Look on the bright side --

Hopefully it affected their parking ticketing software and any surveillance cameras run by the city :) And hey, if it gives people a few more weeks, days, or months to pay predatory fines or even erases the fines from the city's records entirely, again, not such a bad thing.

Always pay your ransom

It is now part of the cost of doing business.

We tell them and tell them

[DarkRookie]

9 outta 10 a user caused this after opening something they should've.

Re:We tell them and tell them

"should've"

That word ... it does not mean what you think it means ...

Re:We tell them and tell them

"Shouldn't", but yes, you're right. More often than not it's a javascript infested web page.

Who's getting fired?

Probably nobody, 'cos well who cares really?

Re:Who's getting fired?

[Archangel+Michael]

There are two answers to this question.

1) Nobody. Everything was done by committee, so there is no one person to blame, and no one person to take the fall. This is very common in Public Sector domains, there is nobody TO fire, because no one person is responible for anything. The people at the top are insulated from their boneheaded decisions as the push the blame down the chain. Those down the chain are all in committees that decide everything.

2) The guy at the Bottom, who was only doing what he was told and allowed to do, but nobody likes. He'll get reassigned to another department because they can't really fire him(her), because the process to fire someone is so bad that nobody actually goes through the whole process ever.

That's why nobody is getting fired.

Re:Who's getting fired?

[HiThere]

Nobody cares? Didn't you notice that reports say the payroll system was infected?

Re:Who's getting fired?

[Kjella]

I've found that the most common catch-all is "It's the process, not the people". Blame the testing process, the training, poor documentation, unclear instructions and agree that we, collectively, must improve as a team. It's almost the inverse scapegoating process that happens in private industry. Same with failed projects, that we ran the ship aground is neither the captain nor the crew's fault it's a fault of our project management process. But with more experience and lessons learned we'll be smarter next time, it's like adding more process will turn poor workers into good workers. Or rather we'd not admit to having poor workers at all, they're just good workers who haven't gotten the support they need to shine. And we're sticking to that story in face of pretty damning evidence otherwise.

And it sorta works because if we refuse to point out a scapegoat what will they do? Maybe it's an inefficient department, but they need us and we're not in direct competition with anybody. If they really tried to get rid of someone for incompetence that person would probably try to air as much dirty laundry as possible, like why are you singling me out. And when you've never done any spring cleaning, there will be a lot of it... it's the consistent fuck-ups and the people who've been letting them do it over and over again.

Re:If this was Russia I support it.

[DarkRookie]

And be shot. And stab. Sent to orbit.
Or just shot out of a cannon thats aimed towards the sun.

Yet another victim.. of Windows

[SuperKendall]

We all know this means they are running Windows.

How many more critical systems have to fall victim to this malware/ransomware bullshit before Windows systems are banned for use in anything critical? Even just the greater likelyhood of that happening to Windows systems should render them unacceptable to use.

In a lot of ways, this complete system shutdown is much worse for everyone than a database being stolen which is the worst case for UNIX backends.

Re:Yet another victim.. of Windows

[StormReaver]

How many more critical systems have to fall victim to this malware/ransomware bullshit before Windows systems are banned for use in anything critical?

How many more times will this happen before I.S./I.T. directors are deemed criminally negligent for this easily preventable and predictable problem? C'mon, putting important stuff on Windows??! How many whacks with the Cluestick are necessary before these people see the blindingly obvious?

Re:Yet another victim.. of Windows

[HiThere]

While that's probably correct, the process of deduction is faulty. I'd say that the basic problem is, at a guess, running Javascript. Given that most systems have some hole you can wriggle through.

Re:Yet another victim.. of Windows

[Registered+Coward+v2]

We all know this means they are running Windows.

How many more critical systems have to fall victim to this malware/ransomware bullshit before Windows systems are banned for use in anything critical? Even just the greater likelyhood of that happening to Windows systems should render them unacceptable to use.

In a lot of ways, this complete system shutdown is much worse for everyone than a database being stolen which is the worst case for UNIX backends.

It's not really a system problem, but a people one. No matter what system you put in people will still open emails, despite constant reminders and training not to, and infect systems. If Windows went away magically tomorrow the criminals would just target what took over. It's even better if people think the new OS isn't vulnerable because that means they'll avoid taking precautions.

Re:Yet another victim.. of Windows

While that's probably correct, the process of deduction is faulty. I'd say that the basic problem is, at a guess, running Javascript. Given that most systems have some hole you can wriggle through.

The difference is with a *nix system it would have to be a targeted attack requiring much research and effort. With Windows systems an attacker can choose from among many (MANY) pre-existing pieces of malware with a high probability of success with very little effort. This is what happens when there is a large monoculture.

Re:Yet another victim.. of Windows

[fat_mike]

What is your point? The majority of these Ransomware hits are end users that aren't educated correctly. PEBKAC. If *nix became the majority of the Desktop's used in a business environment then the Ransomware people would just go after every exploit they can find in those. It isn't about the OS, it's about the business educating their employees correctly. Criminals don't care about the way to exploit something for criminal gain, they care about the criminal gain.

Re:Yet another victim.. of Windows

What is your point? The majority of these Ransomware hits are end users that aren't educated correctly. PEBKAC. If *nix became the majority of the Desktop's used in a business environment then the Ransomware people would just go after every exploit they can find in those. It isn't about the OS, it's about the business educating their employees correctly.

Did you ever try to educate an average user? If not, give it a try and then get back to us. Then perhaps you will understand.

Criminals don't care about the way to exploit something for criminal gain, they care about the criminal gain.

Indeed. And criminals tend to go for the low-hanging fruit. You don't have to be ultra-secure per se. You have to raise the bar high enough that you're not worth compromising. This is called hardening the targets. If it really comes down to it, you can get very far just by being a little tougher than your competitors. Unless you really piss someone off and they have a personal vendetta, then this kind of crime tends to be opportunistic. That's part of a comprehensive threat model.

Re:Yet another victim.. of Windows

It isn't about the OS, it's about the business educating their employees correctly.

It is at least partly about the OS. If businesses used *nix systems, the stupid shit that their employees did at home on their Windows systems would be very unlikely to cause problems if they did it at work. And windows still has a culture of installing random stuff from random websites vs *nix using repositories.

Goddammit use AI ...

[CaptainDork]

... "Oh, let's pretend I click on this link ... what will happen next and what will happen after that? The endgame is ransomware? FLAG ON THE PLAY, CALL IT!"

This is Windows calling...

How's it feel to be pwned twice? First from M$, then from M$ again.

psychopath loser

Can you do the same for the state of California? kthxbye

yes because you just love to see destruction, loss and death, it's the only thing left that gives you a boner

GE connection

Interesting, so the City of Atlanta CIO, SAMIR SAINI, formerly of GE heads an organization that gets hacked.

https://www.atlantaga.gov/government/departments/atlanta-information-management/cio-bio

and former Equifax CIO (also hacked, also in Atlanta) Jun Ying, recently charged with insider trading

http://fortune.com/2018/03/14/equifax-cio-jun-ying-insider-trading/

Also formerly with GE.

Lesson...beware of former GE execs in Atlanta if you don't want to be hacked

Did the lights go out...

in Georgia?

Atlanta team of technology professionals

[najajomo]

"At this time, our Atlanta Information Management team is working diligently with support from Microsoft to resolve the issue .. We are confident that our team of technology professionals will be able to restore applications soon."

haaaaaAAAAAAAARRRRR!!!

Re:Atlanta team of technology professionals

Headed by Lance Bottoms and Dick Cox.

RansomWare?

[hduff]

It's a feature of Windows, not a bug.

But the website is alive.

I wonder if the cities "Primary Website" is linux ?

Re:But the website is alive.

[HiThere]

I think you misunderstand the difference between a web site and an operating system.

That said, Linux also has it's holes. There are fewer of them, and more irregularly distributed, and they get patched more quickly, but they exist. It's been claimed by, IIRC, OpenBSD, that they haven't been had an exploit in decades, but I don't recall just when I read that claim. I don't think it's true anymore. Still, if security is your concern, the one of the BSDs would be your best choice. But I'll admit that I'm a Linux user.

Re:But the website is alive.

I should have said "I wonder if the cities "Primary Website" is *running* linux ?" I know you were being pedantic. Good for you, bad for me. I should have been precise, it is slashdot after all.

Re: But the website is alive.

websites run linux??

Re:But the website is alive.

[eneville]

The difference is the setup. A Unix-like OS will segregate by user and root is rarely needed. In a MS OS you need Administrator to do just about anything, and rarely is software standalone. Can you install Office without Administrator?

Typically, a service that you expose on the network will not have perms to write to the service storage area. So when malware comes in through the front door, it can't do much other than read storage. If there is an elevation path, well, game over. What's the chance of a service in a MS setup having a route through to admin via AD, just from the way it has been configured with AD access group rights scattered to the four winds. These days AD seems the Achilles heal of MS, not it's saviour.

Re:But the website is alive.

[LWATCDR]

And when you do get-apt you almost always use sudu.

Pay?

[antdude]

Ha. https://it.slashdot.org/story/...

Why do I get the sinking feeling

[kilodelta]

That they're still running Windows XP. Or that they haven't installed patches, nor trained their users. And yeah - I pretty much guarantee it's all a Microsoft shop which means even their servers likely got hit.

Re:If this was Russia I support it.

[kilodelta]

I do wish we'd bring back the iron maiden, or even the rack. Those were most effective. Tarring and feathering worked well too.

Have no fear people of Atlanta

Have no fear people of Atlanta. APK will be along shortly to tell everyone that if your city government had simply installed his software and then had every employee run that software multiple times a day on their computers that it will eventually stop this attack once someone else updates a hosts entry to block this in a list his software consumes.

Windows

What world do you people live in where people doing actual business are not running Windows? Is this some alternate universe than the one I know about and have supported for 30 years?

Re:Windows

[bigmacx]

Exactly. We've been hearing about "Linux on the Desktop" from before Linux was even invented. Give up nerds, we lost. Linux is for us, not for them. They get Windows cake.

Re: If this was Russia I support it.

Bring out the pitchforks Huckley!!