In light of the recent and ongoing ransomware cyberattack affecting the City of Atlanta’s IT systems, we sat down with Onepath’s Senior VP of Engineering and Technology Patrick Kinsella, to get his perspective on the events of the last week. The ransomware attack began on Thursday, March 22, and affects almost half of the city’s systems, from Municipal Courts to Watershed Management. On Tuesday, March 27, city employees were advised to turn their machines back on. By Friday, a few systems were slowly starting to come back online, but a couple were still not back up.
Q: What is ransomware?
A: It’s the information technology version of someone breaking into your home, locking you out of it, and demanding a ransom to regain entry; all the while you hope your belongings are intact when you’re able to return. In the IT world, the items behind held captive could be personal health information (PHI), or other personally identifiable information (PII), which may actually belong to your business’s customers or stakeholders.
Q: When a ransomware cyberattack happens, what are the first things a business, or in this case a city, usually does to respond?
A: The first thing is, do everything you can to stop the bleeding. You determine what you need to shutdown, and what backups need to be stopped from running to avoid poisoning the last good copy, assuming you’ve been diligent in running backups. In a different incident, for example, Hancock Health shut everything off after being hit with ransomware—computers, backup scripts—within 90 minutes. For the City of Atlanta, they seem to have followed that procedure as well.
Secondly, after freezing and turning off everything, it’s all about the execution of your incident response plan. An incident response plan is largely about the communication that needs to happen with your staff, vendors, end-users, and the media. If you’re affected by ransomware, it’s a point in time where you really hope you are prepared with such a plan, because it’s about what steps you need to begin executing from the technology you have running your systems, to all the ways you may need to communicate out to your stakeholders. If you’re a regulated organization, such as healthcare, there are actually regulatory requirements about communicating the incident. If you don’t have an incident response plan, it’s key to get leadership all into the same room and communicating to make a plan on the fly.
Q: How does a business get back to normal operations?
A: Define normal operations. Normal as you see it today is not normal after an attack. I compare it to having your home broken into. Will it ever be quite the same afterward? Your perspective, awareness, and even how you operate changes. You may upgrade your home security system, install cameras, add extra locks or floodlights, or think twice about if everything is secured before you leave the house. It’s the same for a CIO — does your business operation ever really feel the same? You end up defining a new normal.
As far as the execution of the incident response plan to get your business running again, you end up taking advantage of the backups and security programs you have in place. The time and resources involved in the specific responses to an IT security incident is going to be expensive. Remediation after a ransomware attack usually costs more than the ransom. In another similar incident at a hospital in Erie County, New York, they spent an estimated $10M in order to restore operations without paying the $30,000 ransom.
Q: Is an attack like this something you’ve seen or heard of before? Is the outcome ever favorable?
A: It’s been on an uptick this year especially. The attacks have seemed heavily focused on municipalities and healthcare: Colorado DOT, Erie County, City of Atlanta, Allscripts…
The outcome is never favorable. You’re dealing with the media attention and the negative impact on your brand while losing the faith of your stakeholders who have trusted you with their data. Plus, the attackers may still have a copy of all of your data and your stakeholders’ data even after it seems over. And beyond that, there’s the disruption and expense you’ve had to go through and pay for, whether or not you pay the ransom.
Q: Who are these attackers?
A: “Hackers” can make them sound like hobbyists, whereas these people are in the business of hacking. They’ve defined the price point low enough that it could be perceived as a rounding error, but high enough they can justify the commitment for the return on investment. They’re smart business people. They are not just dumb criminals trying to extract millions from random targets. These people are the electronic version of historical organized crime.
We would probably be surprised if we knew who was behind it. But this is well thought out and executed. We’re doing ourselves a disservice if we don’t think of it as a business seeking a return on investment (ROI).
Q: Who should be concerned about this type of attack?
A: You can look at it from a few perspectives.
End user: If you live in a city or go to hospital, these organizations hold your data. It potentially affects all of our lives and all of our personal information. Some folks aren’t necessarily aware thinking that if they mail in a check instead of paying online, that they’re in the clear, missing the fact that it’s handled electronically on the backend.
Specific industries: Municipalities and healthcare seem to be the focus so far this year. I would be extra concerned if I were a healthcare organization or a municipality right now. That’s not to say these attackers won’t expand their targets.
Supply chain: They proved for Hancock Health in Indiana that it was a 3rd party vendor’s administrator credentials used as the entrance point. You should be concerned if you’re a vendor to one of these organizations because as a vendor you could be held accountable for the supply chain effect of your own vulnerability being used to open up a backdoor into a larger and richer target organization.
Q: Is something like this avoidable?
A: No attack like this is 100% avoidable. You’re always a potential target, but the key is to make yourself a less attractive target Make sure the basics are covered: fix and remove all the easily exploitable vulnerabilities and invest in proper security awareness training so all stakeholders, staff, and vendors are acting diligently as stewards of your assets and information, almost like a a neighborhood watch program. You need to be the organization that’s harder to penetrate to make the ROI less attractive for the attackers, leading them to search for targets elsewhere.
Q: Did anything surprise you about this incident or others?
A: What’s surprising about it, is that the vulnerabilities they’re exploiting are very basic. Basic blocking and tackling was missed here and in other recent examples. Many recent newsworthy ransomware attacks didn’t have to leverage advanced/expensive social engineering tactics. None of these leveraged previously unknown vulnerabilities. This is simply a case of exploiting known holes that have just not been patched. To go back to the burglary metaphor, you may have locked all your doors, but your downstairs window may have been left wide open.
Regardless of your opinion in the immediate aftermath, many of these victims are well-respected organizations. You’d never think a mature organization like these would fall behind, but it is difficult to criticize them for being victims, because they are likely in the majority of organizations, with wide open vulnerabilities that exist today in spite of all the media attention on these attacks. How many neighbors need to be burglarized before you decide to spend the money to repair the broken window lock in your basement?
Q: What might be going through the decision-making process of “should we/shouldn’t we” when it comes to actually paying the ransom?
A: A number of questions you’d be asking: If we pay or don’t pay, will we actually get everything restored? What’s to say they can’t come back again? What additional vulnerabilities will they have created before access is restored? Most importantly, what information have they created a copy of and what kind of breach does that constitute?
From a stakeholder perception standpoint, even if the ransom is less money than internal remediation, what does it say about your business in the court of public opinion? Not to mention the encouragement to these hacker “businesses” that their business strategy is working. Plus if you pay, essentially you are funding them to further advance their technology, resources, and reach.
Q: What are some of the lessons we can learn from the cyberattack situation in Atlanta?
A: The message here is, don’t find yourself in this scenario, as there is no clean exit. An ounce of prevention is worth a pound of cure. It’s really all about making yourself a less attractive target. The hackers’ basic scans should see you as someone that’s much harder to penetrate. Again, it’s a business for them, so make their ROI unattractive.
The other critical lesson: make sure you have an incident response plan in place. It’s one thing to be hit with an attack; it’s another thing to not know what to do when panic sets in.
Q: Am I at risk at home? How about my children’s devices? Do I need to be worried about this for my family?
A: Yes, the risk absolutely applies to home computers and other personal devices.
Four basic things you can do to help reduce risk to your family:
- Backup. Leverage a cloud-based backup solution. There are plenty of vendors to choose from that offer inexpensive ways to keep safe copies of your data.
- Teach. Train your family around social engineering tactics. How do you and your children determine what is safe? Be as vigilant with your time on the web as you are walking around your neighborhood at night.
- Update. Keep personal devices up-to-date with Windows or iOS updates, antivirus software, etc. These updates often include security patches for known vulnerabilities. Most attacks target known vulnerabilities that just haven’t been addressed.
- Unplug. What if it happens? If you get hit, turnoff and unplug, and reach out to a professional.