Though Atlanta has not announced the specifics, a screenshot provided to 11 Alive provides some clues. The publication says analysis of the ransomware by experts points to the MSIL or SAMSAM variant, which has been active since 2016. The same strain hit US healthcare facilities during that time period, gaining access via an outdated JBoss content management application. SAMSAM exploits Java-based servers by compiling a list of hosts reporting to the active directory. It then uses psexec, a Microsoft Sysinternals tool, to distribute the malware and encrypt PCs.
Working with Microsoft
Various services have been affected by the attack, including bill payment and court data systems. Speaking in a press conference, Major Keshia Bottoms disclosed further information. “Our information management team is working with the FBI, Homeland Security, and also external partners from Microsoft and CISCO cyber security incident response teams to help resolve this issue. We have been working dilligently all day long to try and come to some type of resolution.” Bottoms also admitted they’re unsure of the extent of the attack, and asked customers and employees to monitor their bank accounts as a proactive measure. The City of Atlanta hasn’t yet determined if it will pay the ransom, but previous experiences with SAMSAM indiciate that the decryption keys provided don’t always work. Despite the attack, the Altanta government is running largely as normal today, with vital infrastructures unnaffected.