The Night the Lights Went out in Georgia (Almost)

Thursday, March 29, 2018

Ben Carr


As I sat down on a Friday afternoon to reflect on the past week, I felt that need to comment on the fact that the City of Atlanta is facing outages that are affecting not only the internal operations of the city but also their consumers, the residents of Atlanta. On Thursday Morning, Atlanta’s systems were hit by an instance of Ransomware. Systems were affected in various areas off the cities infrastructure, initially being reported as court and bill pay systems for the city. As employees began to show up for work they were directed not to turn on computers as a method to prevent the spread of the ransomware and limit the impact. At this time the originator of the attack is unclear, but what is clear is there is at least one motive behind the attack, a monetary demand of $51,000 in Bitcoin.

While the actor is as of yet unknown the City is working with the FBI, Homeland Security, and their vendors to determine the source as well as find a solution to the issue without paying the ransom. For those who have not been involved in this ransomware space, the value might seem somewhat trivial.  $51,000? Why not just pay it, and be done? On the surface this seems like the easy solution. Its only $51,000. But the next question you should ask is what happens next time, will it only be $51,000? Will it embolden that actor to raise the stakes? What if you pay the sum only to find the systems aren’t unlocked.  More importantly who are you actually funding?

The increasing momentum of ransomware is a concerning trend. The fees to unlock a system after an incident tend to be low in order to make the decision a cut and dry one for the impacted entity. Its far easier to rationalize the payment of a relatively small sum that is only mildly painful. Often the affected individual seeks quick resolution, and those that can’t afford the ransom typically find themselves replacing a HD for less than the ransom if the value of the data isn’t very high. Situations like Atlanta start to change the dynamic; public institutions, governments, corporations, healthcare, all have more serious potential concerns. There is the damage to public perception, the impact to customers and employees, potential regulatory issues, and one can imagine the potential for injury or loss of life in the most severe cases. The trend would indicate that the problem is getting worse, especially as more potential actors see the business case behind effect campaigns. The value of demand in some cases is starting to also balloon when the potential impact is visualized, take for example the case of Equifax in September of 2017, they were served with a demand of $2.3M.

Who are the primary actors behind ransomware? What is their motivation? We can look to the ease of monetizing this type of attack to explain its increase in velocity. Criminal organizations in areas of the world where it’s easier to create a ransomware campaign then legitimately find a job certainly serves as a significant piece of the problem. Organized crime has also seen this as a new frontier to provide additional revenue, however there is an even more concerning aspect to the problem. Consider rogue nations that have come under increasing pressure from the world powers and face increasing sanctions and external pressure. Where do they find the funds they desperately need in the face of ever tightening scrutiny, look no further than an effective ransomware campaign. It quick easy money and the availability of a transaction masked by cryptocurrency makes for a too tempting than to avoid vehicle for increase their coffers.

Some are starting to ask is it really even about the money? For the vast majority it is but it also becomes a vehicle for malicious actors to start causing disruption and impact to the underlying infrastructure. It’s a way to probe and see where organizations or governments aren’t sufficiently protecting their assets. It’s a way to cause concern among consumers and citizens if they can really trust the entities they interact with.

The underlying question is what should we do? Obviously, the time is passed for not taking security seriously, unfortunately too many companies still don’t. Do you have an effective security policy, are you fully funding the controls necessary to protect your organization, does your policy cover ransomware effectively? Most importantly do you know what data is critically important, and do you have a plan for maintaining that data and recovering it? We need to look at endpoints as more than just end user workstations, they are usually the most exposed and easiest systems to breach. Look to endpoint protection products that not only alert on system exposure but offer protection against malicious use and optimally have the capability to roll back in the event of a compromise. At the end of the day it’s not about the breach but it’s about how you recover.

About the author: Ben Carr is the VP of Strategy at Cyberbit. Ben is an information security and risk executive and thought leader with more than 20 years of results driven experience in developing and executing long-term security strategies. He is focused on solving security issues that address current business objectives while balancing today's operational risks. Ben has demonstrated global leadership and experience, through executive leadership roles at Tenable, Visa and Nokia.

Possibly Related Articles:
Infosec Island Enterprise Security Security Awareness
Ransomware cybersecurity cyber-attack Atlanta
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.