Why ransomware attacks target local governments like Atlanta

Read the Full Transcript

• Judy Woodruff:

  The city of Atlanta says it is slowly making progress in restoring its computer networks.

  Hari Sreenivasan explains how nine days, after a cyber-attack brought city services there to a virtual standstill, systems are finally coming back online.

• Hari Sreenivasan:

  Atlanta is among the largest, but only the most recent victim of ransomware attacks, where hackers gain entry to computers, seize files, and lock out users until a ransom is paid.

  The FBI received more than 2,600 such complaints in 2016. A group known as SamSam is thought to be behind the Atlanta hack. They have already extorted more than $1 million this year from some 30 organizations.

  The FBI advises not to pay extortion money to hackers, saying it emboldens criminals, and doesn't guarantee that the seized data will be returned. Atlanta officials have not said whether they paid the $51,000 ransom demanded of them.

  For more on the scope and consequences of these modern-day shakedowns, we turn to Allan Liska, senior intelligence analyst with the security firm Recorded Future.

  Thanks for joining us.

  Put this Atlanta hack in perspective for us. How significant is it?

• Allan Liska:

  Thank you for having me, Hari.

  It is actually pretty significant in terms of the scope of the damage. This is, though, one of the things that the SamSam group does as part of their attack structure. A lot of ransomware that we see is broadly distributed, so attackers going after as many targets as possible.

  The SamSam group is a little bit different. They study their targets, they take their time getting in, and then once they have accessed the network, they make sure that they deploy the ransomware in a way that does the maximum damage possible.

  And Atlanta is one of the biggest targets that they have hit.

• Hari Sreenivasan:

  When we think of hackers, oftentimes, the stereotype by Hollywood is a teenager sitting in their basement by themselves.

  But when you talk about groups like this, is this one of the new faces of organized crime?

• Allan Liska:

  Absolutely.

  The SamSam group is well-organized. They're well-funded. They have carried out attacks since at least December of 2015. They have brought in several million dollars over the last couple of years. So it's — I hate to use the term, but it's a thriving enterprise.

• Hari Sreenivasan:

  So, let's talk a little bit about Atlanta. They have been pretty tight-lipped on exactly what's been affected.

  But what kind of services, if it's not Atlanta, but other cities, are switching from paper to digital that could fall prey to this kind of attack?

• Allan Liska:

  So, in Atlanta right now, we see this with their court system being — having to switch back to paper and not being able to pay fines, speeding tickets or access other services.

  This happens a lot. When you have a group that plans their ransomware attack carefully, they will make sure that it's disruptive. We saw this last year with the attack on the San Francisco BART system, where an attacker got in and installed ransomware on the fare system, so that everybody who went to go buy the ticket saw that the systems had been infected with ransomware.

• Hari Sreenivasan:

  So it seems that cities and companies put up kind of firewalls to try to keep hackers from getting in kind of directly, but it seems that the human beings inside are the weak links. They get an e-mail, they click on a link, and then all of a sudden the bad guys are inside the network, so to speak.

• Allan Liska:

  In this particular case, that's not what happened, but that's the primary distribution of ransomware is through phishing e-mails, a fake invoice, a link to a bad Web site.

  That is the primary distribution. The good news is that type of ransomware is actually on the decline. So we saw a big drop in that at the end of 2017, and that's continued into 2018. Part of that is organizations are getting better at protecting themselves from that type of ransomware.

  This type of ransomware is a little bit different, because this is targeted, and this is a group that is willing to weeks or months in order to gain access to the networks they want to get to. That is a much harder — that's a much harder group to protect against.

• Hari Sreenivasan:

  We see this story because it's the city of Atlanta, but if you go back and kind of search Google News, you are going to see that the Baltimore Police Department and the fire department here in Colorado, state by state, city by city, they're experiencing these attacks and they're kind of under the radar.

• Allan Liska:

  This is a change in tactic that we have seen over the last year or so.

  So, ransomware used to be, again, widely distributed, widely attacked, but a lot of corporations have stepped up their security and made it much more difficult for these attackers to gain access.

  However, hospitals, health care facilities, government agencies, state and local governments specifically, don't have the resources to fully secure their systems the way some of these other companies, you know, banks and so on, do. So they have been more susceptible to these ransomware attacks.

  They also have oftentimes a mandate to pay the ransom, because either constituent services are being disrupted or patient services are being disrupted. So they tend to be more likely to pay. So they're good targets because they will often pay. And they're, I don't want to say easy targets, but because their security teams tend to be stretched thinner, there's more — a bad guy is more likely to find a mistake.

• Hari Sreenivasan:

  All right, Allan Liska, senior intelligence analyst at Recorded Future, thanks so much.

• Allan Liska:

  Thank you.