Ultra Intelligence & Communications

Ransomware, Atlanta Edition: Another Month, Another Preventable Attack

March 30th, 2018 / By

Oh, Atlanta. Home of perhaps the world’s busiest airport, top educational institutions and a growing film industry that, by some accounts, rivals Hollywood, is the latest victim of data thieves in a March 22 ransomware attack. The ninth largest metro area in the nation, with a population exceeding 5.7 million, was effectively knocked off line when municipal computers were idled at City Hall and beyond. Financial and personal data was encrypting pending receipt of a per-computer payment of $6,800, or $51,000 for system-wide restoration. WiFi at Hartsfield-Jackson Atlanta International Airport was disabled as a precaution.

NBC affiliate in Atlanta, WXIA, identified the ransomware as SamSam whose sponsors have collected an estimated $850,000 since last December.

Wednesday night, Boeing announced that it, too had been hit by a cyber-attack. The official statement from Boeing is that the attack was limited in scope, software patches were deployed, and “to the best of their knowledge”, the crisis is over. They claimed reports by the media were “overstated and inaccurate.” However, earlier in the day, an internal memo warned that the computer virus was spreading rapidly and could affect Boeing’s production systems, and possibly spread to the airline software.

Boeing declined to comment on whether or not this was the WannaCry virus.

WannaCry was a particularly destructive virus which exploited a vulnerability in Microsoft Windows. Hackers incorporated a tool devolved by the National Security Agency (NSA), which enabled them to spread the malware automatically through vulnerable systems. Across the globe, computers were frozen, and business operations were paralyzed. While in the US, FedEx may have been the only major company affected, the affects were far more disruptive in the UK and Russia.

Ransomware attacks, sadly, are no longer a rogue form of cyber-assault to public and private operations we Americans rely on daily. Atlanta marks at least the third successful attack on public systems in as many months. The Colorado Department of Transportation was victimized twice this March in less than ten days. Davidson County in North Carolina, hit in February, limped along for more than a month before operations were fully restored. That attack affected critical capabilities including the 911 call center.

As reported in USA Today, a study last year by the Ponemon Institute found that half of organizations surveyed experienced one or more ransomware incidents in 2017; 40 percent had experienced multiple attacks. An IBM report found that 70 percent of businesses have been ransomware victims, with most paying more than $10,000 to regain their data. In January, an Indiana hospital system paid a $50,000 ransom to retrieve stolen patient data.[1]

Preventing or quickly resolving these attacks isn’t difficult. Human error is inevitable, and lapses in judgment will always find their way to corrupted links or downloads. Professional antivirus, however, is a solid resource. So are backups stored and regularly updated in the cloud. Ransomware proliferates because it pays; it pays because too many organizations’ IT resources fall short relative to basic data-safety procedures.

What will be the next system to fall due to insufficient cybersecurity? The airport, power utilities? If municipal and government IT networks are vulnerable, how safe is the infrastructure we rely on that, if breached, could kill us?

That infrastructure is powered by components that are far more vulnerable than those underlying our Windows networks. They’re comprised of dumb, single-operation sensors and meters that cannot be individually protected by antivirus.

Many of these devices fall under the category of programmable logic controller, or PLC, that direct and automate basic functions such as temperature and lighting. In February 2017, Plant Engineering‘s Kevin Parker wrote that PLCs are now seen by researchers to become targets of ransomware.[2] He cited the Booz Allen Hamilton Industrial Cybersecurity Threat Briefing in pointing out that at least 15 major industrial incidents occurred, including one in April 2016 that impacted Michigan-based electric and water utility, Board of Water & Light (BWL). In that attack, cyber-criminals successfully delivered ransomware via phishing to BWL, necessitating a shut-down of the corporate network.

Parker’s article also cited findings from a SonicWall report that indicated a rise in ransomware-as-a-service. Through free or very inexpensive kits, cyber-criminals with minimal technical skill could easily unleash ransomware. Industrial control systems (ICS), with their overall lack of strong security controls and protocols, are too easy targets.

With ransomware on the rise, and little in place to stem its spread, we applaud every governmental and industry effort to shore up critical-system defenses. Their work is cut out for them.

As Dale Peterson noted in a March 2017 article on Medium, ICS will likely see “smarter ransomware and targeted attacks” that penetrate controllers. Among the reasons: “Recovery from PLC ransomware is much more difficult and expensive than computer ransomware… [It] will require replacing hardware. The simplest ransomware impact is to load bad firmware that overwrites the firmware upload process. This ‘bricks’ the PLC and requires replacement or return to factory of the affected cards.”

While PLC and controller vendors are working to improve security for new devices, the overwhelming majority of infrastructure remains essentially defenseless. Solutions like 3eTI’s CyberFence provide a fully certified and operationally seamless means for countering the ransomware threat to ICS.

The alternative for control-system operators is to dramatically escalate PLC upgrades or replacement. However, the costs and uptime risks during implementation may approach those of a cyber-breach.

Critical-system operators must weigh their risk profiles against the pros and cons of every available solution. The good news is that options are available for plug-and-play implementation into legacy systems, and come with a government-recognized seal of approval.

[1] USA Today, “Atlanta hit by ransomware attack, city employees told not to turn on computers,” by Elizabeth Weise, March 23, 2018.

[2] Plant Engineering, “Current issues in industrial cybersecurity – Ransomware is as loathsome as it sounds; programmable logic controllers (PLCs) seen as likely targets,” February 27, 2017.