In 1864, Confederate forces holding the City of Atlanta, came under siege and then attack by General William Sherman of the Union Army during the Civil War. As a result the city was burned, not once, but twice, forever changing the landscape.
Last Thursday, March 22, 2018, the City of Atlanta came under a different form of attack, this time from SamSam Ransomware which encrypted city data and led to the shutdown of a number of City of Atlanta services. While the City, taking 'emergency action', hired cyber-security firm SecureWorks to assist them with this most recent cyber attack, it appears that this is not the first cyber attack Atlanta has experienced in the past two years, but it is starting to appear that it will be the most serious.
In a public announcement earlier this week Atlanta Mayor Kiesha Lance Bottoms said, "the city is working on recovering their network."
Despite being identified by cyber security experts more than 2 years ago, SamSam (and it's variants) Ransomware is similar to many other types of ransomware infections, which exploit a deserialization vulnerability in Java-based servers.
Preliminary indications are that the City of Atlanta had numerous servers with exposed remote desktop protocol to the Internet without any multi-factor authentication. In some cases, it appears that several City computers had SMB (windows file sharing/Server Message Block) exposed to the internet as well.
Of course, there is no reason to believe that this attack is anything more sinister than an unintentional click by an unsuspecting city employee on an infected link or attachment within a malicious email blasted out to any number of City services.
SamSam works essentially the same whether you invite it into your system through a system hardware/software vulnerability, or via a human-engineered response. Once the ransomware is downloaded it acts quickly by installing itself on the target computer, and then contacting a repository of encryption keys. These keys are used to encrypt valuable files on the compromised machine thereby locking users out of access to those files.
Almost simultaneously, the ransomware begins to propagate itself across the local network typically by identification of network shares first acting on the shared directories themselves, and then migrating to every computer having access to the shared directories. When local networks are linked across a Wide Area Network, the ransomware can usually find it's way into other LANs within a few hours, compromising every computer it encounters along the way.
Either after the encryption process is completed, or at a set-time during the network infection process, instructions will begin to appear on the compromised computers in the form of a popup message or text file.
Without the encryption key, it is almost impossible to recover the encrypted data. Most Ransomware attackers require a ransom to be paid within a specified time frame, via a specific form or response. In many cases 'Bitcoin' or other cyber-currency is the required form of payment. One unique aspect of some Ransomware attacks is the willingness of the cyber-criminals to actually assist in recovery of the encrypted files once you have paid the ransom.
With that said, there is absolutely no assurance that a ransom payment will guarantee the return of the encrypted data, and in some cases attack victims have reported they were unable to recover (all or some of) their data.
Atlanta officials have reported that while some of the city's systems are being slowly recovered, many other systems remain locked. One unnamed city spokesperson reported that it's not know when, or even if, all the city systems will get back up and running.
The Ransomware attack on the City of Atlanta just goes to show that even huge entities with vast numbers of internal Information Technology staff members can still have significant vulnerabilities (hardware, software, and human beings) making them ripe for cyber attack.
Protecting You and Your Client
I will be teaching an updated version of my course Cyber Security for You and Your Clients at Scaling New Heights 2018 this June in Atlanta. Ransomware is one of the six (6) major forms of cyber security threat we will be talking about during the course, and for good reason. There was a 140% increase in Ransomware attacks from 2016 to 2017, with a 46% increase in the number of new Ransomware variants being detected. In fact the only good news about Ransomware I can share is that the 'average reported ransom' being asked by these cyber criminals actually dropped to $522 in 2017.
Here are some of the best practices we will discuss to help mitigate Ransomware attack exposure:
- Review and assess your current security framework on a continual basis against emerging attacks and existing vulnerabilities
- Scan your network for vulnerabilities on an on-going basis
- Implement rigorous highly secure data backup and recovery processes
- Verify that all systems are patched to current recommended levels
- Review all user access permissions and privilege levels to local and shared resources, use multi-factor authentication wherever possible
- Restrict use of administrator accounts on all PCs and servers
- Insure up-to-date (daily) endpoint protection software is in use including anti-virus, anti-malware, and intrusion detection
- Use 'smart' hardware firewalls and insure all connectivity flow through such firewalls, prevent exceptions directly linking your network to the internet
- Continuously incorporate cyber-security awareness, education and testing for all personnel on safe practices vs. unsafe practices
- Consider partnering with professional Cyber Security Service provider with extensive threat analytics expertise to augment your in-house support, your local Internet Service Provider may offer such services, or be able to recommend someone in your area.
But be aware, even with the best of practices, you are likely to be at risk from each new Ransomware variant because cyber-criminals are developing new variants and releasing them faster than cyber security firms can detect and counter them.
Tame the Machines
This year's theme at Scaling New Heights is 'Tame the Machines'. While the theme maybe centered around the big changes that are underway with artificial intelligence and the next level of automation, not to mention how those will impact our profession, the reality is that we all have to be concerned about our ability 'tame the machines’ when it comes to the cyber criminality that is growing by leaps and bounds. So perhaps it is fitting that Scaling New Heights will be taking place in a City currently under Cyber (Ransomware) Attack.
While QuickBooks ProAdvisors typically are not trained as ‘cyber security experts’, they should have sufficient training and awareness to recognize the most common forms of threats and weaknesses within the various computer networks in which QuickBooks is running.
You may be dealing with either your own, or your client’s single computer, or a small local area network, or a wide-area network, or even the internet as the source of access to computers hosting QuickBooks or while using QuickBooks Online. ProAdvisors need to be ready to recognize threats and seek out the proper methods to prevent or mitigate such threats, because the machine you tame maybe your own computer or smart device that is seeking to rob you of your precious ‘data’ as a result of a cyber attack.
So let's learn how 'taming the machines' from the potential of cyber threats together at my class on Cyber Security for You and Your Clients. Please join me, along with more than a thousand of your fellow ProAdvisors at Scaling New Heights 2018.