For many IT personnel, March 2018 did not follow the old farming proverb of coming “in like a lion and out like a lamb.” Multiple high-profile ransomware attacks rattled both private and public sector networks, with Boeing and the cities of Atlanta, Georgia, and Baltimore, Maryland, being affected. These three cyberattacks exhibit not only the different ways by which hackers target vulnerable IT infrastructure but also how an effective, quick response can minimize the overall damage of the attack.
WannaCry and SamSam … What’s the Difference?
Dominic Gates from The Seattle Times is reporting that the ransomware used in the attack on a Boeing production plant in North Charleston, South Carolina, was a variant of WannaCry. Sean Gallagher, writing for Ars Technica, states that while the type of ransomware attack used on the Baltimore computer-aided dispatch (CAD) system is unclear, it appears that Atlanta was hobbled by a strain of the SamSam ransomware.
WannaCry is a ransomware worm that initially appeared in the wild in May 2017. Once the malware was able to get onto a machine, it exploited a vulnerability in the Microsoft® Server Message Block (SMB), a protocol that aided communication between nodes on a network. This exploit allowed the worm to travel unimpeded from one vulnerable machine to the next. While the first several variants of WannaCry were easily halted by using a kill switch built into the malware, it has since been altered to make it more persistent. It likely entered a network as a malicious attachment to an e-mail or through a network vulnerability.
SamSam first appeared in 2015 in targeted attacks of hospitals. Tom Spring of ThreatPost notes that unlike traditional malware, SamSam was a strain of server-side ransomware that “exploited unpatched server vulnerabilities.” This method allows for a remote execution attack rather than relying on a user falling victim to a phishing campaign, for example. Once on the network, the attackers can sniff around to identify high-value data systems and end points to encrypt. The threat actors deploying SamSam chose hospitals (and possibly the city of Atlanta) because of the likelihood of those institutions running older technology.
These recent attacks highlight how a quick response can help alleviate a critical security situation. Though, as Gates reported, Boeing was initially panicked about the ransomware attack, it was resolved quickly, and by the evening on Wednesday March 28, it was “not a production and delivery issue.” The attack on Baltimore’s CAD system was resolved after 17 hours, as the city was able to rapidly isolate the infection before it spread to other networks.
Atlanta, however, has not been so lucky. On Saturday March 31, Reuters reported that after 9 days, city officials were in the office attempting to not only “restore critical systems” but also continue to determine the extent of the losses. City officials still aren’t disclosing the extent of the damage, but there is a chance that the backup servers are corrupted, potentially leading to massive data losses.
These differing responses clearly exhibit one thing: How well you recover from a cyberattack is directly correlated to how well you prepared ahead of time. Both Boeing and Baltimore detected, isolated, and eventually halted attempted ransomware incursions in a timely fashion. This is equally due to strong antivirus protection and having clear lines of communication in case of emergency.
Some of the blame in Atlanta falls on the SamSam strain of ransomware. Because it relies on vulnerabilities in public-facing servers (either in the servers’ software or weak username/password combinations), it’s more difficult to detect an incursion due to the lack of interaction with a user. Additionally, once on a network, the threat actors who use SamSam actively manage the attack, moving laterally through the network and choosing targets prior to encrypting any data.
In a chat with Wired, Jake Williams of Rendition Infosec notes that “ideally organizations will detect them before they start the encryption,” which did not happen in Atlanta. Rendition Infosec also published a blog post showing that Atlanta was severely neglecting cybersecurity best practices, particularly in the wake of a previous attack in April 2017.
So, what can you do to fight back? Follow cybersecurity best practices:
- Stay on top of software updates, and patch regularly.
- Stress the importance of using strong passwords to protect critical infrastructure and data.
- Have clear lines of communication for employees or contractors to report potentially malicious activity.
- Keep separate backups of critical data, and implement a regular backup schedule.
While these practices may not completely prevent malware from getting into your operation’s IT network or infrastructure, they will help minimize any impact of an attack. And, in the event of a ransomware infection, it’s much easier to quickly discover and report the malicious activity and to wipe the infected systems and recover from a backup. With ransomware attacks on the rise, it’s much cheaper, as well.