While events are still unfolding, we’re piecing together facts pertaining to the March 22nd ransomware attack on the City of Atlanta. As an Atlanta-based company, my colleagues at Raxis and I have been keeping a close eye on the happenings since the attack. The City of Atlanta has so far successfully kept people informed without revealing information that may be critical in responding to the attack.It appears that the epicenter of the attack was Atlanta’s municipal court (including tickets, citations, and other information) and bill-payment systems. I examined the Municipal Court of Atlanta website as I researched this post late Monday and found that the site displayed an error message explaining that payments could temporarily be made at a different site. When I clicked through to that site, I was given two options: a link back to the original site where I had started and a link to an error message, both seen here. Whether these sites were directly affected by the attack or are disrupted as part of the aftermath, people using these sites are affected just the same. The 'Online lookup tool' on the same page leads to a webpage that times out. It is possible that this service was not affected by the ransomware attack directly, but access to this page may have been removed as a precautionary measure to prevent further attacks. Based on these observations, we can infer that the attack has effectively diverted Atlanta’s resources to understanding, containing, and recovering from the attack. A trusted source tells Raxis that Atlanta is still working to fully confirm that critical infrastructure systems, such as fire, water and the airport, have not been impacted. All systems that may have been impacted have been taken offline until their state of compromise can be determined.Employees have been directed not to turn on or login to their workstations, which is another proactive security measure implemented in immediate response to the attack. A source has informed Raxis directly that vendors have physically been locked out of city buildings since the attack took place. A direct source has also confirmed to Raxis that construction companies have been unable to obtain permits that had already been submitted for approval due to the attack.Raxis also noted Atlanta’s Outlook Web App (OWA) and GIS server were displaying application errors after the attack. The City of Atlanta appears to be working around the clock to fix these services, nonetheless, these issues speak to the severity of the attack and the breadth of Atlanta’s response to an active threat.

What can we speculate about the attack itself?

The city has not released details about the attack yet, but we can speculate. A Raxis source stated that the attackers were demanding three bitcoin per decrypt key. Internet sources shows that the attackers are asking $6,800 per system or $51,000 to unlock the entire Atlanta system. While the math does not quite add up (currently Bitcoin rates are $8,056.44), we can see that the costs are high but also possible for Atlanta to pay.Raxis has spoken to a trusted source who confirmed that it is believed that the attackers gained access to Atlanta systems using MS-RDP (Microsoft Remote Desktop Protocol) and then installed SamSam ransomware which made the ransom demand. Our source stated that, as of close of business on Monday March 26th, Atlanta had not made a determination of whether to pay the ransom or to pursue other methods to recover business continuity.

RDP (Remote Desktop Protocol)

As noted above, a trusted Raxis source has informed us that the current belief is that attackers used MS-RDP as the entry point to Atlanta’s network. Raxis’ source, while not privy to the passwords that were harvested in the attack, believes that passwords likely were weak, which may have contributed to the success of the attack.While the focus currently is on the ransom demands, the full access that the attackers may have achieved in this type of attack likely may have allowed them to create back doors to Atlanta systems that they accessed, which would allow them to maintain a persistent presence for use in future attacks. Atlanta now finds itself in a position where it does not know whether a persistent threat is present on the internal network. It will need to maintain ongoing vigilance to determine the effectiveness of its response.Both the externally accessible MS-RDP service and the possible use of weak passwords are security issues that many companies deal with. This attack makes clear the importance of basic security housekeeping in protecting any network.

Patching & EternalBlue Rumors