On Thursday 22nd March, the city of Atlanta in the US came under fire from a huge ransomware cyber attack. The criminals behind the attack focussed on billing systems and court networks, virtually crippling many of Atlanta’s public services. With a population of nearly half a million people, the repercussions of this breach could be catastrophic.
Ransomware, put simply, is a form of malware that completely blocks a victims computer when it manages to infect it. This is often done through encryption. The malware then demands some type of payment from the victim in the form of an onscreen message. If the required amount is paid the files and access is often restored to the victim. There is usually always a monetary motive with ransomware and the payment is usually requested in the form of Bitcoin due to its anonymity.
We saw some of the largest ransomware attacks ever performed last year. The NHS fell victim to WannaCry, a specific and more dangerous type of ransomware. The health sector has always been heavily targeted by ransomware due to the impact of infection and the potential for casualties if networks are unavailable. Since the goal of ransomware is to extort money, it makes sense to target an industry that would be desperate to resolve problems if they were hacked. This is extremely similar to the case in Atlanta. The criminals realise that government have a lot of available money and their networks are some of the most important systems that exist, therefore, paying a ransom to prevent these going down is often the only available option.
The organisation behind the Atlanta ransomware attack have requested that the city pay around $6,800 in bitcoin per affected PC or $51,000 to unencrypt the entire system.
The Mayor has made a statement that all those living in Atlanta should be vigilant of their bank accounts as the severity of the breach has not yet been fully discovered. When asked if the city had failed to take action on known vulnerabilities she stated that they had been implementing a “cloud strategy” to migrate critical systems to secure infrastructure which had lessened the scope of the breach. However the implementation had not been completed.
Even if the fee is paid in full and the local government complies with the hackers every demand, there is still no guarantee that their systems will be restored in full. Only roughly 50% of organisations who comply with ransom demands actually regain control of their systems. This is because attackers often do not have the ability to unencrypt the data, or simply do not care.
After reading this, you are no doubt beginning to worry about your own organisations security in the prevention of malware. Many people fall into the trap of thinking “I’ll make sure we’re secure soon” and then one day wake up and realise they waited too long. They become the newest name on a long list of ransomware victims.
Preventing this from happening is easy. In comes Cisco AMP. AMP stands for Advanced Malware Protection and has revolutionised the way organisations can protect themselves from cyber-attacks. Cisco AMP utilises point-in-time protection as well employing several other technologies such as Global Threat Intelligence, Advanced Sandboxing, Continuous Analysis, and Retrospective Security to closely monitor everything in-and-around your network.
Here is a diagram showing how outdated anti-virus systems work:
In the diagram below you can see how Cisco AMP works to protect your network. Cisco AMP is unique because it does not just evaluate your files when they enter, but it also constantly scans the internet (with the help of Talos) and strictly monitors and records anything that enters. It is extremely likely that this attack would have been prevented if the City of Atlanta had Cisco AMP running on their network.
If you would like to know more about preventing ransomware attacks on your organisation or Cisco AMP then please don’t hesitate to Get In Touch. We would love to have a conversation with you and answer any questions you may have.