In March, a SamSam ransomware attack brought the city of Atlanta to its knees.
Six days after the city’s online systems were shut down on 22 March, Atlanta was still rescheduling court dates, police and other employees were still writing out reports by hand, and residents couldn’t go online to pay their water bills or parking tickets.
The attackers demanded ransom of what was then roughly $52,000 worth of bitcoin. It’s never a bargain to pay crooks, and there’s no guarantee that if you do, they won’t come back for more. But the ransom pales in comparison to the $2.6 million worth of emergency contracts the city initiated to claw back its systems.
After all that, months later, the pain just keeps coming. On Friday, Atlanta Police Chief Erika Shields said that years worth of police dashcam video has been lost for good and can’t be recovered.
Shields told The Atlanta Journal-Constitution and Channel 2 Action News that her department hasn’t lost access to investigatory files or other crucial evidence: access to these files was quickly restored after the attack, she said.
But loss of dashcam footage could compromise an undetermined number of investigations, including those concerned with driving under the influence (DUI) cases.
Shields downplayed the importance of dashcam video, saying that there are other forms of evidence that can help them make cases:
I’m not overly concerned, I’m really not. Because that’s a tool, a useful tool, for us. But the dashcam doesn’t make the cases for us. There’s got to be the corroborating testimony of the officer. There will be other pieces of evidence. It’s not something that makes or breaks cases for us.
But The AJC talked to legal experts and police officers who disagreed. They said that yeah, actually, that footage really is pretty crucial in certain cases.
Attorney Manny Arora told the newspaper that the loss will “most likely favor the state a little bit more because now it’s going to be the officer’s word about what happened on the street versus what the defendant has to say.”
Ken Allen, an Atlanta police union official and a retired investigator, also told the news outlet that video evidence can help determine if an officer is at fault in cases that involve the use of force or investigations into collisions that involve police. Shields noted that bodycam footage hasn’t been lost, however.
The AJC reported another example: a case that involved footage of a police sting of a former employee fired for allegedly destroying an open records request. An investigator on that case said that 105,000 files on his computer had been compromised.
Not an issue, Shields said: other evidence supports the former employee’s firing:
Employees have to back up documents. Even if it’s not related to a criminal investigation, if it is of some value to you, you have got to be backing this stuff up. I think it was a painful but useful lesson in IT security for all of us.
There are other useful, just as painful, lessons too.
Defending against SamSam
Unlike most other forms of high profile ransomware, SamSam is used in targeted attacks where victims are hand picked and the attacker’s approach is tailored to cause maximum damage and disruption, and to extract a very high ransom.
Because SamSam attacks are relatively rare and the methods involved differ from one victim to the next, defending against it can be difficult.
However, there are common threads to the attacks and Sophos has published an article outlining four tips for improving your protection against SamSam and other targeted ransomware over on our sister site, Sophos News.
You can also read more about SamSam in SophosLabs’ recent whitepaper, SamSam ransomware chooses its targets carefully.
For more on dealing with ransomware, listen to our Techknow podcast:
(Audio player above not working? Listen on Soundcloud or access via iTunes.)
Steve C#
I have to differ with your statement that ransomware attacks are rare. Ransomware attacks are happening more often than are being reported. This is one of those dirty little secrets that makes organizations look embarrassingly IT incompetent and they do not want the public to know about it.
I know of two ransomware attacks of significant organizations where I live in the last three years that NEVER were made public and will NOT come up in a Google search. One being a governmental organization and the other a medium sized privately owned corporation. I know this because former co-workers who worked at these organizations have told me that they have gone through this.
Just paying for the recovery key does not guarantee a computer or server is back to its original state, is clean or will work properly again. In both situations almost all computers and servers needed to be wiped, reimaged and restored. Backed up virtual servers can be restored very quickly. Fortunately in both situations files and data on Azure and O365 were not infected or affected.
Also, I can guarantee you that this attack cost the city of Atlanta a lot more than $2.6 million, probably MUCH more than $10 million just due to lost employee productivity for many days alone.
PS. Many IT system admins will tell you that drivers and computer firmware “BIOS or UEFI” never need to be updated. This is ignorant and totally wrong. If Dell tells me that an updated driver is “Critical” that tells me a lot right there. Yesterday Dell went so far as to call me up and told me that a model of workstation we own needs a “BIOS” update because some BIOS versions can cause unstable boots. I have also seen BIOS versions that cannot be BitLockered or will cause unstable hard drive encryption.
Mark Stockley
Nobody said ransomware attacks are rare. Lisa’s article states: “SamSam attacks are relatively rare”.
SamSam attacks are rare relative to other kinds of ransomware attack.
Most of the damage inflicted by ransomware is done in untargeted, scattergun attacks using software like Locky and GlobaImposter. They’re sent to huge numbers of people and charge a relative modest ransom. Around $300 seems to be the sweet spot.
The SamSam attackers pick a victim, break in, look around, take time to get the access and permissions they need, and then configure the SamSam ransomware for that victim. The ransoms are in the region of $50,000.
You can get a better idea of how rare Sophos thinks the threat of ransomware is by reading our article “Are organizations prepared for the ransomware threat?” (spoiler: Sophos doesn’t think it’s rare) https://nakedsecurity.sophos.com/2018/01/30/are-organizations-prepared-for-the-ransomware-threat/