The Samsam attack against the city of Atlanta in March was chaotic and crippling. The ransomware, named for the group responsible for development and deployment, left the city scrambling to deal with critical systems that were forced offline, hampering civil services including utility payments and municipal court appointments.
“While stakeholders perceive that the city is deploying security controls to protect information assets, many processes are ad hoc or undocumented, at least in part due to lack of resources. Dedicating resources to formalize and document information security management processes would prepare the city for certification, and, more importantly, provide assurance that the city is adequately managing and protecting its information assets,” the audit report explained.
The published audit was performed to assess whether the city was ready to meet certification requirements under ISO 27001, and while Atlanta has strengthened its security program since beginning the certification project, there were several outstanding issues at the time the report was published.
The Atlanta Auditor’s Office said the city has gaps that would prevent it from passing a certification audit, including missing or outdated policies and procedures; inconsistent definitions of scope; a lack of formal processes to identify, assess, and mitigate risk; and a lack of formal process to manage risks associated with third-party service providers and suppliers, just to name a few.
These findings align with public disclosures by security researchers, who observed several open RDP instances in the public space – none of which were using two-factor authentication, and several servers exposed to the public running SMBv1.
On top of that, Jake Williams at Rendition Infosec reported that Atlanta was silently infected in 2017 by DoublePulsar, a backdoor developed by the NSA and leaked to the public after the tool was stolen. The city was infected more than a month after Microsoft released patches for the tool, but the infected servers were eventually patched.
Now, during the aftermath of the Samsam incident, it was recently revealed that the city of Atlanta earmarked $1.4 million dollars for recovery and incident response. While it might not spend all of the money, the allocated funds tell a powerful story about clean-up and preparedness when it comes to security.
Originally, it appeared that Atlanta had posted final figures, but when speaking to ZDNet, a city spokesperson said the figures listed on the city’s procurement portal were projected expenses that were not to be exceeded.
The city has earmarked $50,000 for crisis communications from Edelman, a firm known for their work in this area. That figure is pretty standard according to some PR experts who spoke to Salted Hash, but crisis communications will vary from project to project, as each client will have unique needs. In this case, it would appear the firm helped with public notifications, statements to the media, and statements made by city officials. However, the exact nature of the contract remains unknown.
There is also an entry of $60,000 for Cisco Security Incident Response Services, and again the fee and vendor selected are not at all unexpected. Cisco has worked several cases related to Samsam, and it is likely the city has them on retainer. Another $60,000 was earmarked for Surge Support Staff Augmentation from Mosaic451 – an MSSP headquartered in Phoenix, Arizona. Mosaic451 counts CIRT services and forensics among its services.
But the expenses for Secureworks ($650,000) and Ernst & Young ($600,000) for Emergency Incident Response Services and Advisory Services for Cyber Incident Response respectively appear excessive. But if the city actually has to pay those amounts, the projections represent a serious financial punishment.
“I completely agree with the stance that the FBI takes on discouraging the payment of ransomware. SPAM, phishing and ransomware attacks are only as attractive as the money that can be obtained from them and their associated scams. That said, what this attack reveals, is the expense of recovering from an attack when unprepared,” said John Hodges, VP of Product Strategy at AvePoint.
Keep in mind, the ransom demand was only $52,000 and the city refused to pay. Rightfully so, as payment only encourages further attacks. But sometimes payment is the lesser of two evils. The Samsam group knows this, as they price their ransom demands in a way that encourages payment.
As Salted Hash previously reported, the Samsam actors have made nearly a million dollars since last December, because in those cases it was cheaper to pay than it would be to recover. Sometimes payment was made to prevent further downtime, other payments were made because the victim simply couldn’t recover without giving into the demands.
But in all Samsam cases, the victims were caught by surprise, as the opportunistic Samsam group targeted weaknesses in their environment, such as RDP or server vulnerabilities. Salted Hash recently published an in-depth look at Samsam for those who need a primer on the group, covering tools and common attack profiles.
While it isn’t a pretty conclusion, clearly the gaps in Atlanta’s security posture led to this catastrophic and financially painful incident. It’s unfortunate, but it’s also a cold reality when things get missed or systems fall between the cracks of an growing network environment.
Side Note (Opinion):
When the procurement figures were first reported by ZDNet, I was honestly shocked, and more than a little outraged at what appeared to be price gouging. Looking at the numbers, they come off as vendors taking advantage of a city that needs a lot of help. Now however, given that the figures represent a total cap not to be exceeded, it is clear that Atlanta expects the recovery phase to last for some time.
With luck, the city won’t have to spend all of the allocated funds, but at the same time, if Atlanta wants to get their network environments up to snuff and pass the ISO 27001 audit, they may need every penny.