The Atlanta ransomware breach

(foreboding music) - [Instructor] In March, 2018, the city of Atlanta was forced to tell constituents that a large swath of city operations were shut down due to a cybersecurity breach. In an incident that became one of the largest municipal cyber attacks to date, Atlanta had lost access to a large number of systems. It would be weeks before they restored normal operations.

City official had been tight-lipped about the source of the breach, but cybersecurity researchers have learned quite a bit by studying the activity of similar attacks. While most ransomware is delivered by phishing schemes and similar attacks that broadly target whomever happens to fall victim, the SamSam ransomware used in this attack against Atlanta is the tool of choice for a group of attackers following a careful methodology. These attackers, nicknamed Gold Lowell by the Dell Secureworks Threat Intelligence Team, scout out their targets in advance and only deploy ransomware in the final stages of their attack.

They typically seek out a weakness in one of the target systems, and use that weakness to gain an initial foothold on the network. They then use a set of hacking tools to gain administrative access to their initial target system and leverage the access they have to that system to spread across the entire network. Once they've stealthily penetrated systems across the target's network, they then roll out their ransomware to quickly render all of the data stored on those systems completely inaccessible. That pattern of activity seems to match the symptoms experienced by Atlanta.

As the attack unfolded, city technology staffers found themselves suddenly thrust into the spotlight. Citizens were demanding the restoration of services, city employees were panicking about being able to carry out their job functions, and the media was demanding answers. Atlanta city officials brought in a host of consulting firms to help investigate the attack and restore service as quickly as possible. Before they could accomplish this, they needed to understand what had happened and how they could restore service without triggering a second attack.