Delaware, USA – March 23, 2018 – Several online systems used by the City of Atlanta, Georgia, were attacked by SamSam Ransomware. Yesterday morning, attackers disabled several online city services, including online bill pay services and online court records. They demanded more than $50,000 ransom for the data decryption. Chief Operating Officer Richard Cox said that critical infrastructure was not affected, and now his team is working with FBI and DHS to investigate the incident. Incident response teams from Microsoft and Cisco also joined the investigation to determine what information the attackers accessed and to estimate the damage they caused. The experts’ fears not groundless, since SamSam Ransomware is installed and executed by attackers manually after the initial compromise of the network.
The hacker group that infected Atlanta systems is exceptionally active since the beginning of 2018. In general, they choose their targets among small and medium-sized businesses in North America. Adversaries use RDP brute-forcing to infiltrate the network and try to infect as many systems as possible. To monitor the security of RDP connections to your servers, you can leverage Brute Force Detection use case for Splunk, QRadar or ArcSight, which monitors authentication events and notifies SIEM administrator about potential attacks.