In May, I gave a presentation to security professionals at Yankee Stadium. Part of my presentation referenced the recent ransomware infection in the City of Atlanta. As I proceeded, I viewed blank faces and not one head nodding. “Who knows what happened in Atlanta?”, I inquired. No one raised their hand. I paused the presentation for an ad lib summary of the security problems in Atlanta.
In late March, the city of Atlanta was hit with ransomware. The ransomware encrypted files on the city’s servers related to police tickets, online payments, and court documents. The ransom was $55,000 and the authorities chose not to pay the ransom. Four months later, Atlanta’s servers have not been restored. It is estimated that the cost of Atlanta’s infection is over $10,000,000 and still growing.
Whenever a plane crashes, the National Transportation Safety Board conducts an investigation and publicizes the details of the malfunction. The rationale is simple – to reduce plane crashes. Sadly, the same logic does not apply to ransomware infections.
Here’s what we know. The virus was a two-year-old strain called SamSam. The ransomware had recently been the culprit in a string of successful infections targeted at government agencies. In the first three months of this year, the virus successfully infected the city of Farmington, NM; Davidson County, NC; Colorado Department of Transportation, and the city of Atlanta. It should be noted that during the same period of time, SamSam infected a hospital, a university, and Allscripts Healthcare Solutions.
Since the virus was two years old, and infecting high profile targets, it was certainly on the radar of the antivirus industry. In fact, most antivirus products (blacklist or otherwise) would have blocked the SamSam virus. The $10,000,000 question is “What antivirus was deployed by the city Atlanta?” It would benefit our society and certainly any government agency that might be using the same antivirus.
The most important function of any antivirus in the ransomware era is to identify and block an infection BEFORE it can infect. Certainly, price, user interface, and post-remediation features are important, but they are secondary to detection rates. The only thing we know is that the antivirus contracted by the city of Atlanta; Davidson County, NC; Farmington, NM; etc, all had poor detection rates on a two-year-old virus.
The first modern ransomware infection happened in September 2013. Since that time, every year, the ransomware problem accelerates. The reason for the escalation is that the technologies to protect our computing infrastructure are inferior to the technologies the cyber mafia employs to attack. Since their motivations are financial, that gap is still growing.
Up to this point, the motivations behind ransomware have been financial. I believe the concern for any American should be if the motivations move from financial to harm and destruction. Although awareness of the Atlanta breach inside of the United States is poor, it could serve as a blueprint on how to architect devastation to our country. Computers and servers are embedded into the fabric of our ways of life, and a successful terrorist cyber attack should be cause for concern for all of us.
To read the full Q2 2018 PC Pitstop newsletter, click here.