It’s been almost a week since the City of Atlanta was hit by a ransomware attack, which encrypted city data and led to the shutdown of some services.
Mayor Keisha Lance Bottoms said in a press conference Monday that the city’s government is working on recovering the network after ransom notes appeared on computer displays on Thursday afternoon. The city has hired local cybersecurity firm SecureWorks to assess the situation.
Reports say the notorious SamSam ransomware was used in the Atlanta attack, which exploits a deserialization vulnerability in Java-based servers. Details of the attack remain largely unknown, but an early investigation may have identified who is behind the attack, said SecureWorks chief executive Michael Cote. Almost a million dollars has been reaped from other businesses that were infected and paid the ransom. It’s not known if Atlanta will pay the ransom.
"The attack is an important reminder of the need to ensure that the city’s digital infrastructure is secure and up to date," said Bottoms in a Monday press conference.
But according to one security firm, last week’s cyberattack was not a surprise because the city had fallen victim to leaked government exploits used in the WannaCry outbreak.
New data provided by Augusta, Ga.-based cybersecurity firm Rendition Infosec, seen by ZDNet, shows that the city’s network was silently infected last year with leaked exploits developed by the National Security Agency.
The cybersecurity firm’s founder Jake Williams said at least five internet-facing city servers were infected with the NSA-developed DoublePulsar backdoor in late April to early May 2017.
That was more than a month after Microsoft released critical patches for the exploits and urged users to install.
The NSA exploits were stolen in 2016 in one of the biggest breaches of classified files since the Edward Snowden disclosures. The hackers who stole the exploits, known as the Shadow Brokers, attempted to auction off the files but failed.
Microsoft learned of the theft of these tools and, fearing that they would be used or publicly released, the company quietly released security patches for the exploit in March. Weeks later, the tools were dumped online for anyone to use.
According to Williams, the city’s networks were left unpatched for weeks — making them vulnerable to ransomware attacks.
"Based on our data, we can say for an organization of its size, the city of Atlanta had a substandard security posture in April 2017, making the scope of the ransomware attack far from surprising," Williams told ZDNet.
Williams also wrote up his findings Tuesday in a detailed blog post.
Just two weeks later, the WannaCry ransomware attack hit. The attack was the biggest of its kind — spreading throughout several countries, infecting hundreds of thousands of computers. The ransomware used the leaked NSA exploit dubbed EternalBlue, which attacks a flaw in Windows SMB, and drops the DoublePulsar backdoor and waits. It’s that DoublePulsar backdoor that allows an attacker to remotely execute a malicious payload — such as ransomware.
Williams said his firm detected 148,000 infected machines at its peak — machines that were directly connected to the internet. But that doesn’t account for the vast number of machines connected to those infected servers — likely putting the final number of machines at risk significantly higher.
Williams stopped scanning for infected servers only by chance before the WannaCry attack, because as security patches were applied, the number of vulnerable systems was going down.
It’s not known if Atlanta patched its network during that two week period before the WannaCry attack.
When reached, a spokesperson for the City of Atlanta was unable to comment on specific questions we had.
Williams confirmed that as of Monday, none of Atlanta’s systems are still infected by the NSA exploits — though, he said, it’s not known if the clean-up is a response to Thursday’s cyberattack or not.
Atlanta’s recovery efforts continue "around the clock," said Bottoms.
CSO security reporter Steve Ragan reported earlier Tuesday that the portal used to pay the ransom — if the city decides to do so — has been pulled offline by the ransomware attacker. A screenshot of a city employee’s computer, which included the dark-web address used to access the payment portal, was publicized by local media.
Although some of the city’s machines are slowly coming back online, many systems remain locked. For now, it’s not known when — or even if — the city will get fully back up and running.
Zack Whittaker can be reached securely on Signal and WhatsApp at 646-755–8849, and his PGP fingerprint for email is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.