Seven days later, and Atlanta is still working to get back to normal. You might expect that a government agency would have superior protection on their networks, but this is clearly false. It just proves the point that anyone can be a victim of a cyber attack.
Still, a ransomware lock up is a hefty project to deal with. With what’s going on in Atlanta, it’s clear to see that recovering from a cyber crisis is complicated. Let’s dissect exactly what’s happening in Atlanta, and diagnose the possible ways to resolve and avoid a cyber attack.
Here’s What We Know:
The cyber crisis started on March 22, 2018 in Atlanta’s court system. Several employees reported that a ransomware message appeared on their computers, and their basic computer functions were locked up.
After this was reported, Atlanta’s government officials acted fast to follow the right protocol. Following the right protocol could help you save thousands in a malware attack. They likely instructed employees in each affected office to shut off their computers and devices. Then, they assembled a highly-specialized team that included city employees, law enforcement, FBI, DHS, and Secret Service to investigate the situation at hand.
After several days of lock up, the city government is still in a ransomware recovery state. Their computers were allowed to be turned back on and some internet services have been restored, but they’re still assessing how many devices are infected. The demands from the hackers are still on the table, but the city has not paid, and is determined to avoid paying the $51,000 bitcoin ransom fee.
How Could This Have Happened?
There are a few ways a ransomware attack typically infect a network. The number one way that malicious entities access a computer network is through a company’s employees. While criminal insiders are a big threat to network security, a lot of hacks get in through employees who are simply unaware of cyber security best practices.
Faulty or outdated software can be an easy target for malware hackers as well. Software developers frequently release security patches that will protect users from known security threats. If the software isn’t up-to-date, then a hacker can take advantage of that known issue to get in.
Take a look at the widespread WannaCry ransomware attacks in 2017. The hackers infected a slew of organizations through a known Microsoft security vulnerability. Organizations that didn’t keep up on their updates were sitting ducks waiting to be picked off by hackers.
There’s a lot of confusion about antivirus software as well. Many believe that antivirus software is the best protection out there against online threats, but that’s not the case. Yes, your antivirus is your first line of defense for small threats, but if it’s not configured to alert the right staff members when there’s an update or incoming threat, it’s useless – leaving you open to inbound malware threats.
Some suspect that this hack was the work of SAMSAM, which is a ransomware virus that exploits a vulnerability in healthcare software and Remote Desktop Protocol (RDP) software. While we can speculate on how the malware grasped Atlanta’s government network, it won’t be conclusive until they’ve finalized their investigation.
Why Aren’t They Back Online Yet?
Hopefully, by the time you’re reading this post, they’ll be back online and working smoothly. CNN reported that while some computers are being turned back on, they’re still processing court documents and other important procedures by hand – yikes!
According to this survey, 44% of companies recover from cyber attacks within minutes or hours. It’s somewhat unusual to be locked down for this long, especially for an organization that’s in the center of the public eye.
We see a lot of cases where an organization has forgotten about their backup systems. It’s easy to forget about them, but backup systems are one of the most crucial pieces of infrastructure in your network setup. Why? It’s the fastest, cheapest way to recover from a malware attack.
It’s also possible that the malware hacker accessed all of their backup files in addition to their existing system, which would explain the length of the lockdown — but that’s a stretch.
We could argue all day about what went wrong, but the real story lies in their response.
What Did They Do Right?
Once a ransomware hacker gets into a network, it freezes an organization’s ability to operate like it usually does. The organization immediately has to go into disaster recovery mode. The steps that are taken here determine if an organization will recover well or crumble after a hack occurs.
Public perception is a huge, if not the biggest, problem when it comes to malware attacks. If clients, prospects, shareholders, and anyone else who relies on your organization gets word that you’ve been hacked, you’re immediately regarded with less credibility.
Atlanta’s government officials did a great job keeping federal partners, employees and the public informed of the incident. They created this FAQ page so the public could understand what’s happening. They used their Twitter account to release instant updates and helpful tips for making it through. They conducted a press conference with the Mayor of Atlanta, Keisha Lance Bottoms, and several government and cyber security personnel to keep the public informed. While the citizens of Atlanta are inconvenienced by the malware attack, they’re not forming angry mobs and Twittercizing (get it, Twitter criticizing?) the victims of the hack.
Another point we can’t ignore is that Atlanta is avidly avoiding paying this ransomware hacker. IT professionals and law enforcement agents will always advise not to pay a hacker, which is the equivalent of doing the school bully’s homework. As long as you continue to do the homework, the bully is going to keep asking for it, and they’ll get their friends to start asking, too.
How Would You Avoid A Hack Like This?
We’ve said this before, and we’ll say it again: it’s no longer a question of if you’ll get hacked, but when. With a few handy tips, you can avoid a situation that the City of Atlanta is dealing with:
Keep your backups updated. Set a calendar appointment, or put someone capable in charge of them. Either way, make sure they are always up to date and functioning in case of an attack like this.
Train your employees. You should have an internet usage policy for your organization and a day-one cyber security training session. Then, keep your employees informed of the latest email and internet threats. If they don’t know about it, then they could click on something dangerous and not even know it.
Maintain your software. We get it — keeping on top of software updates can be a pain. Just do it anyways and your software will be so much safer to use.
Scan your network for vulnerabilities. Find free tools like the Network Detective, which scans your network and reports back all the ways a hacker could get through. It’s free, takes minutes, and can save you from a catastrophic attack.
Talk to your IT providers about your options. If you feel like you can’t manage these on your own, it may be time to talk to your IT provider about additional options. With a Virtual CIO or a managed services subscription, you can have an outside expert who minimizes your cyber security threats without taking up all your time and money.
Need Help?
The City of Atlanta is not the first organization to experience a large-scale ransomware attack, and it most certainly won’t be the last. The best way to prevent this problem is to be proactive about cyber security needs, allocate the right budget to IT, and stay informed on the latest threats.
If you have any questions about how to protect yourself against a ransomware attack, contact me here or give me a call at 410.685.5512.
