For over a week, the City of Atlanta has battled a ransomware[1] attack that has caused serious digital disruptions in five of the city's 13 local government departments. The attack has had far-reaching impacts—crippling the court system, keeping residents from paying their water bills, limiting vital communications like sewer infrastructure requests, and pushing the Atlanta Police Department to file paper reports for days. It's been a devastating barrage—all caused by a standard, but notoriously effective strain of ransomware called SamSam.
"It’s important to understand that our overall operations have been significantly impacted and it will take some time to work through and rebuild our systems and infrastructure," a spokesperson for the City of Atlanta said in a statement on Thursday.
Atlanta faces a tough opponent in cleaning up this mess. While dozens of serviceable ransomware programs circulate at any given time, SamSam and the attackers who deploy it are particularly known for clever, high-yield approaches. The specific malware and attackers—combined with what analysts see as lack of preparedness, based on the extent of the downtime—explain why the Atlanta infection has been so debilitating.
'The most interesting thing about SamSam isn't the malware, it's the attackers.'
Jake Williams, Rendition Infosec
First identified in 2015, SamSam's advantages are conceptual as well as technical, and hackers make hundreds of thousands, even millions of dollars a year by launching SamSam attacks. Unlike many ransomware variants that spread through phishing[2] or online scams and require an individual to inadvertently run a malicious program on a PC (which can then start a chain reaction across a network), SamSam infiltrates by exploiting vulnerabilities or guessing weak passwords in a target's public-facing systems, and then uses mechanisms like the popular Mimikatz password discovery[3] tool to start to gain