Atlanta Projected To Spend At Least $2.6 Million on Ransomware Recovery (zdnet.com) 100
Atlanta is setting aside more than $2.6 million on recovery efforts stemming from a ransomware attack, which crippled a sizable part of the city's online services. ZDNet reports: The city was hit by the notorious SamSam ransomware, which exploits a deserialization vulnerability in Java-based servers. The ransom was set at around $55,000 worth of bitcoin, a digital cryptocurrency that in recent weeks has wildy fluctated in price. But the ransom was never paid, said Atlanta city spokesperson Michael Smith in an email. Between the ransomware attack and the deadline to pay, the payment portal was pulled offline by the ransomware attacker. According to newly published emergency procurement figures, the city is projected to spend as much as 50 times that amount in response to the cyberattack. Between March 22 and April 2, the city budgeted $2,667,328 in incident response, recovery, and crisis management.
Ouch (Score:5, Insightful)
Re: (Score:3)
Wouldn't click on that supposed youtube video for all the tea in China. Gotta be malware at the other end...
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
How does management fire itself? Is that even possible?
Re:Ouch (Score:4)
Re: (Score:1)
Re:Ouch (Score:5, Insightful)
Re: (Score:2, Insightful)
For 26 millions I'd assume all this and a few things more, yes.
Re: (Score:2)
It also covers the security "consultants" brought in to review things which is probably half the bill.
Re: (Score:3, Interesting)
A company can have a 100% backup solution and it may still be worth their while to pay the ransom. The decryption process can be applied to all machines simultaneously, bringing them back online in perhaps a few hours. Alternatively, a thorough restore from tapes fetched from Iron Mountain could take a week or two.
Restoring from backup is a great solution for individuals, but large networks are unlikely to have a backup solution that can scale as well as a ransomware worm can. For large organizations, their
Re:Ouch (Score:5, Insightful)
A company can have a 100% backup solution and it may still be worth their while to pay the ransom.
Yes, assuming you can trust the criminal, it could possibly be cheaper but you should NEVER pay a ransom. It only open you and everyone else up for more ransom. I would much rather see paying ransoms outlawed and the government require everyone to carry ransom insurance and then have the insurance company pay to fix the problem. The advantage of this approach would be that if the insurance company pays for the recovery it reduces the incentive to pay the ransom and hopefully ransomware disappears. If we want ransomware to disappear, we need to make sure that it's cheaper and easier to not pay a ransom than it is to pay a ransom so that noone is tempted to pay a ransom. Another alternative is to make sure that the penalty for paying the ransom is so severe that noone is tempted.
Re: (Score:3)
This is simple. If Americans will never, ever be ransomed, then nothing is lost by killing the American captives.
And this ensures that those nations that will pay are further convinced of the willingness of the captors to kill their captives, and more likely to pay.
This is reinforcing. Changing the policy of those nations that would pay will likely result in dead captives for a period, until the captors are convinced there is no money in the enterprise. This is a high cost, and the policy could be rolled ba
Re: (Score:2)
As a devil's advocate, ransomware may be a good thing. It stops a company from functioning, which PHBs might consider something that doesn't "optimize their synergies", so they might actually give a thought to security.
Ransomware insurance should achieve the same effect as presumably by proving you are more secure (or that it's less costly to recover your data) your premiums should be lower which would make the PHBs happier.
Re: (Score:2)
This would prove to be enormously expensive of a mandate on businesses and thus it will never happen.
Solution (Score:1)
Contract out most of the work done by the city. Then if one of the contractors gets hit with ransomware, it's their problem. If that contractor can't meet obligations, switch contractors.
Re:Solution (Score:5, Insightful)
...said the lawyer.
The problem is that you can sue someone into oblivion (usually a ltd company that goes *poof* the moment you try to squeeze money from it) means jack shit when your whole administration grinds to a halt and you can't get anything done sensibly anymore, constituents get REALLY pissed at you and vote the other guy in next time.
Who then gets your job AND whatever they can squeeze from the husk. Well done. Really. *golfclap*
Outsourcing != Problems vanishing (Score:2)
Contract out most of the work done by the city. Then if one of the contractors gets hit with ransomware, it's their problem. If that contractor can't meet obligations, switch contractors.
Here in the real world it's not that simple. You need to think it through. Just because you outsource something doesn't make the problems magically go away. In many cases it actually is harder and more expensive to oversee the contractors than it is to do the job in house. There are real world consequences to suppliers not delivering and fixing problems is very often not as simple as switching suppliers. Good luck replacing the water treatment plant administration or the public transportation authorit
Re: (Score:2)
If the city has a responsibility to plow roads, then the city has the responsibility to make sure the roads get plowed. As Truman said, "The buck stops here." If the city has contracted the plowing to someone that can't deliver, that's a failure on the city's part. Either the city needs to find reliable contractors, or the city needs to find a way to plow that doesn't involve contractors.
Switching contractors can be painful on a small job, like repairing a roof. When you're talking about providing ci
Good job they made that figure public (Score:4, Informative)
Now hackers know how much they can reasonably demand from Atlanta.
Re: (Score:1)
Now hackers know how much they can reasonably demand from Atlanta.
I can't help thinking that announcing such a budget has put a large bulls-eye right on the center of Atlanta's servers.
Re: (Score:1)
Not sure why you responded to yourself, but, I would say the exact opposite. Atlanta's government has sent a message that they'd rather spend 2.6 million dollars recovering data than 55,000 in ransom.
Why bother trying to extort someone that is willing to spend orders of magnitude more to tell you to F yourself?
Re: Good job they made that figure public (Score:1)
Why would you think that? Atlanta did not pay a dime to the hackers.
Re: (Score:2)
Not really. What the hackers know is that Atlanta will spend at least 5x the ransom demand rather then pay it. And I wonder how much of this $2.6 mill is a bounty on the hackers. The guys that bragged about taking the city for $55K has got to be wondering who their friends really are.
Re: (Score:3)
Re: (Score:2)
Are you overlooking the other costs of recovery? Paying the ransom and getting your systems decrypted is only the beginning.
And most of those costs would be the same whether you pay the ransom or not.
I doubt this is costing much more at all. For instance, you'll have to have all your systems scanned and reviewed to make the best effort to remove any other infestations, quite possibly replacing some or all outright. And then rebuilding the data security systems, training everyone to try and prevent this agai
Re: Good job they made that figure public (Score:2)
Correct.
Re: (Score:2)
Well, they may need to pull in some analysts. Because $2,667,328 is being spent over weeks. Perhaps a cool $3M now up front is a bargain.
Or they could invest in real storage/backup/BC/DR solutions for much, much less.
Re: (Score:2)
Now hackers know how much they can reasonably demand from Atlanta.
They can demand all they want. The question is will Atlanta ever pay?
The core of the issue boils down to something like blackmail. As soon as you pay once you'll end up paying over and over again. At which point do you say no? Is the no point at the second time they ask for $55,000, the 10th, maybe after you've spent $5 million?
While I get "A sensible business decision dictate that you pay the original $55,000 rather than the estimated $2.6 million" I've also got to question if the original sum would have
Re: (Score:2)
"Once you have paid the Danegeld/You will never be rid of the Dane" - Kipling.
even if they had paid (Score:5, Insightful)
Re:even if they had paid (Score:5, Insightful)
I also remember seeing that the majority of those that pay ransomware are unable to recover data anyway.
Paying the ransom does only two things:
1. Encourages more ransomware, as it "works" as a business model
2. Would cost Atlanta another 55,000 in addition to the $2.6+ M to fix the problem.
Re: (Score:2)
The never ending onslaught of maleware, ransomware, etc... annoys and frustrates me. To bad they are probably in a country where we can't extradite them.
Re: (Score:2)
Drones and Gitmo =P
Re: (Score:2)
What do you mean? Microsoft is based in the US. They’re the one who refuses to stop making horribly insecure software.
They can’t even get Windows Update to work without rendering customer machines unusable.,,
Re: (Score:2)
I thought SamSam exploited JBoss which is developed by Red Hat.
Re: (Score:2)
Lazy reporters no doubt see reports from 2-3 years ago where JBoss was widely used to proxy into a network, but they’re not paying attention: once they were “in” they used the proxy to attack systems inside.
Several other vectors have been added since 2016; SamSam attempting to exploit holes in Remote Desktop/RDP sessions is pretty common now.
Re: (Score:1)
Even if they had paid the ransom they would still need to fix the security holes though, so at least some of the extra expenditure is well justified.
If they do that. I bet they won't. Did you see the stupid law they passed down in Georgia banning security research? It was because government officials were embarrassed over an election exposure of passwords. Not a hack. They called the FBI on the researchers, who promptly cleared them. So I don't expect they'll fix stuff. They'll just blame anyone that points it out. Nope, emperor has clothes... Can't you see them?
Comment removed (Score:3)
Re:Good to hear it works. (Score:5, Insightful)
This reminds me of a similar saying in the motorcycle world:
It is not a matter of IF you will wipe but WHEN you will wipe.
As a result we have the acronym: ATGATT: All the gear, all the time.
i.e. You don't wear gear for the 99.99%, but for that 0.01% of the time.
Bringing this back on top: It doesn't matter how fast you can do backups if your restore procedure is completely botched! You DID test it, right?
Re: (Score:2)
Sorry, never heard of KGIII. Who is that?
Re:Good to hear it works. (Score:4, Interesting)
backups are not about the fact if you take backups, but how fast you restore WHEN you need to.
Amen to that, at job[-1] we had no problem hitting our backup windows but when we did a restore for a discovery request we found out that the interleving that allowed the tape drives to fly during backups made restores crawl to the point where our 48 hour and 72 hour SLAs were a joke. That led us to a disk to disk to tape solution which could restore files in minutes from the appliance and where if we had to reseed from tapes the restores were done to the appliance as one long streaming block which went at full LTO speeds. Best of all for critical systems the appliances even included the ability to act as an iSCSI target for the VMWare hosts so you could restore in place if the storage arrays blew up and you needed to get critical systems up an running ASAP.
Backups? (Score:2)
Could I maybe take a look at it? I might be able to offer you a solution for 25 millions a year...
Better than paying ransom (Score:1)
Better to pay 50x than to pay the ransom:
"We never pay any-one Dane-geld,
No matter how trifling the cost;
For the end of that game is oppression and shame,
And the nation that pays it is lost!"
- Rudyard Kipling, 1911
The price of using Windows, (Score:1)
Re:The price of using Windows, (Score:4, Insightful)
Nah, the time to switch to Linux was before Windows 10 started pushing upgrades which remove critical drivers.
In the past few weeks I've multiple fixed family & friend computers which were horked by Windows 10 Update deleting the SATA drivers, followed by input device drivers.
Who needs ransomware when Microsoft is bricking its user's computers?
Re: (Score:1)
So how are they enjoying Linux, and what distros did you install?
Re: (Score:2)
I stick with a “rolling upgrade” capable distributor - Debian or OpenSuSE tumbleweed.
No complaints from anybody. Google Chrome and Firefox (and by extension, Netflix, Hulu, YouTube and Facebook) are pretty much the same everywhere.
Even the gamer is happy as his games are on Steam (a bit of a lucky break, but it’s working for him).
And I get to relax because I don’t have to worry about a Windows 10 update deciding to remove critical drivers.
Honestly, desktop Linux achieved feature pari
Re: (Score:1)
But how did you replace the Windows malware download client??
Re: (Score:2)
I thought I was pretty clear that Windows is no longer on the systems. No Windows binaries of any kind.
So I’m not sure how any Windows program affects those systems. There’s certainly no Windows Update pushing anything to the machines anymore.
Re: (Score:2)
Java doesn't care which platform it's running on...
Re: Should be a response? (Score:2)
Generally speaking, security inside a corporate office is handled privately. The police don't guard buildings. Similar roles apply here. Unless Atlanta is handling DOD information or some such thing, it's not really the feds role to secure that. It's like the FBI looking into a robbery. Doesn't happen unless there's a federal angle.
Re: (Score:2)
“When life gives you lemons, don’t make lemonade. Make life take the lemons back! Get mad! I don’t want your damn lemons, what the hell am I supposed to do with these? Demand to see life’s manager! Make life rue the day it thought it could give Cave Johnson lemons! Do you know who I am? I’m the man who’s gonna burn your house down! With the lemons! I’m gonna get my engineers to invent a combustible lemon that burns your house down!” - Cave
So would disaster recovery have been worth it? (Score:3)
Re: (Score:1)
DR for a single system is (relatively) easy. E.g. a mainframe system: IPL system on mirrored disks at remote datacenter. We do this all the time, works fine.
DR for a network of systems is a nightmare, and the DR tests are either risky or useless.
Bring up DR mainframe, isolated network - fine, but doesn't do a proper test.
Open the network with addresses supposedly mapped to 'test' servers? Oops, you've just connected the DR test mainframe system to a production server...mayhem ensues as production data is fe
Re: (Score:2)
Sure, lots of people will say that "I can do backups for less than that", but an actual disaster recovery plan is way more than just doing backups.
That's true, but if they had decent backups at a minimum, they would be assured of getting all their data back. From what I've read, it is not clear that they did.
Re: (Score:1)
I'm a Disaster Recovery Admin for a fortune 500 company. I can assure you that the amount of money it cost us to build our primary redundant datacenter and train everyone on the failover procedures is *well* over $2.6 million. If you compare that to the money we would lose if we were down as long as they were, it's chump change. As parent post states, disaster recovery is way more than just doing backups. We've been hit by WannaCry, power outages, hardware failures you name it. We can have mission-crit
Re: (Score:2)
But you have no guarantees that the high availability replication processes in place don't end up getting infected as well-- you don't even (necessarily) know the root vulnerability that was exploited. Did they get in through the router, propagate to the switches, back themselves up to the copiers, and then perform ransom attack on servers, or was it a direct attack on the servers? Did they update the EFI?
When you have truly been screwed, it is almost impossible to know what parts of the system/network ca
Re: (Score:2)
Security is layered, and anyone who thinks DR and business continuity plans are all you need to protect against these threats is really doing things backwards. With appropriate next gen firewalls in place with proper UTM and endpoint protection, it's completely possible to track exploits, infections, and intrusions even through complex networks if you have the right security appliances in place. It's also possible to head these things off at the pass before they do extensive damage to a network by isolati
Seems familiar (Score:2)
Start something, then remove it before it gets popular. Sounds like something Google would do.
Commendable and irresponsible (Score:2)
If I payed taxes to Atlanta, I'd probaly be miffed. But since I don't, I commend them for telling the hackers to fuck off.