, technology specialists warn that ‘ paying moneyAttack.Ransomto a criminal is never a good idea ’ Cybersecurity experts have warned businesses against meeting hackers ’ demands for moneyAttack.Ransomin the wake of the “unprecedented” attackAttack.Ransomon hundreds of thousands of computer systems around the world . Ransomware is a type of malicious software that blocks access to a computer or its data and demands moneyAttack.Ransomto release it . The worm used in Friday ’ s attackAttack.Ransom, dubbed WannaCry or WanaCrypt0r , encrypted more than 200,000 computers in more than 150 countries for ransomsAttack.Ransomof $ 300 to $ 600 to restore access . The full damage of the attack and its economic cost was still unclear , but Europol ’ s director , Rob Wainwright , said its global reach was precedented , and more victims were likely to become known in the coming days . The extent of the WannaCry attackAttack.Ransomprompted questions about what to do in the event of a ransomware infection , with many experts advising against paying the ransomAttack.Ransom, saying not only could it fail to release the data , it could expose victims to further risk . Peter Coroneos , the former chief executive of the Internet Industry Association and an expert on cyber policy , said whether or not to agree to ransomware demandsAttack.Ransompresented practical and ethical dilemmas . “ These people are criminals , and paying money to a criminal is never a good idea . However , if it ’ s a trade-off between losing your lifetime ’ s family photos and making a paymentAttack.Ransomto a criminal , then it ’ s up to the individual to make that judgment call . “ It would be very hard to walk away. ” But Gregory said it would be “ self-defeating ” for hackers not to release data upon receipt of a ransomAttack.Ransom, “ because that would immediately hit the media , and no one would pay ” . But not all ransomware attacksAttack.Ransomwere motivated by financial gains , he added . “ If they ’ re a professional criminal organisation , their business model will be to release people ’ s computers once they ’ ve paid the moneyAttack.Ransom, but you don ’ t know . It could be someone having a laugh , or someone who ’ s trying to learn , or someone who ’ s released it accidentally . “ You just do not know – that ’ s the problem. ” With such attacks hitting computer systems at an “ ever-increasing rate ” , Gregory said prevention was the best course of action . With outdated operating systems “ easy targets ” , he urged individuals and businesses to automate updates and invest in software that protected against viruses , malware and ransomware across not only their computers , but tablets and mobile phones as well . “ It ’ s a combination of factors that will keep people safe ... For individuals , families have got to work together and companies have to take the time to ensure that their cybersecurity practices are up to date. ” Gregory recommended regular if not daily backups of personal data , which would allow victims to wipe the infected computer , reload their data , and start again .
The city has spent the past two weeks restoring online services disruptedAttack.Ransomby ransomware that held encrypted data hostage . Soon after Atlanta City Auditor Amanda Noble logged onto her work computer the morning of March 22 , she knew something was wrong . The icons on her desktop looked different—in some cases replaced with black rectangles—and she noticed many of the files on her desktop had been renamed with “ weapologize ” or “ imsorry ” extensions . Noble called the city ’ s chief information security officer to report the problem and left a message . Next , she called the help desk and was put on hold for a while . “ At that point , I realized that I wasn ’ t the only one in the office with computer problems , ” Noble says . Those computer problems were part of a high-profile “ransomware” cyberattackAttack.Ransomon the City of Atlanta that has lasted nearly two weeks and has yet to be fully resolved . During that time the metropolis has struggled to recover encrypted data on employees ’ computers and restore services on the municipal Web site . The criminals initially gave the city seven days to payAttack.Ransomabout $ 51,000 in the cryptocurrency bitcoin to get the decryption key for their data . That deadline came and went last week , yet several services remain offline , suggesting the city likely did not pay the ransomAttack.Ransom. City officials would not comment on the matter when contacted by Scientific American . The Department of Watershed Management , for example , still can not accept online or telephone payments for water and sewage bills , nor can the Department of Finance issue business licenses through its Web page . The Atlanta Municipal Court has been unable to process ticket payments either online or in person due to the outage and has had to reschedule some of its hearings . The city took down two of its online services voluntarily as a security precaution : the Hartsfield–Jackson Atlanta International Airport wi-fi network and the ability to process service requests via the city ’ s 311 Web site portal , according to Anne Torres , Atlanta ’ s director of communications . Both are now back online , with airport wi-fi restored Tuesday morning . The ransomware used to attack Atlanta is called SamSam . Like most malicious software it typically enters computer networks through software whose security protections have not been updated . When attackers findVulnerability-related.DiscoverVulnerabilityvulnerabilities in a network , they use the ransomware to encrypt files there and demand paymentAttack.Ransomto unlock them . Earlier this year attackers used a derivative of SamSam to lock up files at Hancock Regional Hospital in Greenfield , Ind . The health care institution paidAttack.Ransomnearly $ 50,000 to retrieve patient data . “ The SamSam ransomware used to attackAttack.RansomAtlanta is interesting because it gets into a network and spreads to multiple computers before locking them up , ” says Jake Williams , founder of computer security firm Rendition Infosec . “ The victim then has greater incentive to pay a larger ransomAttack.Ransomin order to regain control of that network of locked computers. ” The city ’ s technology department—Atlanta Information Management ( AIM ) —contacted local law enforcement , along with the FBI , Department of Homeland Security , Secret Service and independent forensic experts to help assess the damage and investigate the attack . The attackers set upAttack.Ransoman online payment portal for the city but soon took the site offline after a local television station published a screen shot of the ransom note , which included a link to the bitcoin wallet meant to collect the ransomAttack.Ransom. Several clues indicate Atlanta likely did not payAttack.Ransomthe attackers , Williams says . “ Ransomware gangs typically cut off communications once their victims get law enforcement involved , ” he says . “ Atlanta made it clear at a press conference soon after the malware was detected ” that they had done so . The length of time it has taken to slowly bring services back online also suggests the cyber criminals abandoned Atlanta without decrypting the city ’ s files , Williams says . “ If that ’ s the case , the city ’ s IT staff spent the past week rebuilding Atlanta ’ s online systems using backed-up data that had not been hitAttack.Ransomby the ransomware , ” he says , adding that any data not backed up is likely “ lost for good. ” “ If the city had paid the ransomAttack.Ransom, I would have expected them to bring up systems more quickly than they have done , ” says Justin Cappos , a professor of computer science and engineering at New York University ’ s Tandon School of Engineering . “ Assuming the city did not pay the ransomAttack.Ransom, their ability to recover their systems at all shows that they at least did a good job backing up their data . ”
LabCorp , one of the largest clinical labs in the U.S. , said the Samsam ransomware attackAttack.Ransomthat forced their systems offline was contained quickly and did n't result in a data breachAttack.Databreach. However , in the brief time between detection and mitigation , the ransomware was able to encrypt thousands of systems and several hundred production servers . The wider public first learned about the LabCorp incident on Monday , when the company disclosed it via an 8-K filing with the SEC . Since then , as recovery efforts continue , the company said they 're at about 90-percent operational capacity . According to sources familiar with the investigation , the Samsam attackAttack.Ransomat LabCorp started at midnight on July 13 . This is when the Samsam group used brute force against RDP and deployed ransomware by the same name to the LabCorp network . At 6:00 p.m. on Saturday , July 14 , the first computer was encrypted . The LabCorp SOC ( Security Operation Center ) immediately took action after that first system was encrypted , alerting IR teams and severing various links and connections . These quick actions ultimately helped the company contain the spread of the infection and neutralize the attack within 50 minutes . However , before the attack was fully contained , 7,000 systems and 1,900 servers were impacted . Of those 1,900 servers , 350 were production servers . The analysis and recovery continued at that point . This led the company to confirm the source of the attack as a brute forced RDP instance , and confirm that only Windows systems were impacted . According to NetFlow management and traffic monitoring , nothing left the network during the attack , so the company is confident that there was no data breachAttack.Databreach. Given the RDP connection to this attack , and the fact that most attacks of this nature are bi-directional , LabCorp will likely implement two-factor authentication in the future . It is n't clear if the company has a timeline for these changes , or if two-factor authentication was already in place at the time of the attack . Salted Hash has reached out to LabCorp for additional comment and will update should they respond . However , because LabCorp was able to detect and respond to the attack quickly , they likely saved themselves from costly and lengthy outages . It 's also likely that backups ( tested and current ) played a large role in the recovery phase of the incident . The last time the Samsam group was in the news , they had attacked the Colorado Department of Transportation twice in two weeks and the City of Atlanta . In March , based on the current value of Bitcoin at the time , it was estimated that the group had earned nearly $ 850,000 USD from their victims , who paid the ransom demandsAttack.Ransom.
Services are being restored to the St. Louis Public Library computer system after a ransomware attackAttack.Ransomlast Thursday impacted access to machines and data at all 17 branches . Library management refused to payAttack.Ransomthe $ 35,000 demanded as ransomAttack.Ransom, and IT staff wiped affected servers and restored them from available backups . On Friday , the library was able to restart its circulation workflow , and patrons were able to check out books at all locations . By Saturday , checkout and returns systems were at 100 percent availability , and now only the library ’ s reserve system remains to be restored . That work began on Monday and is expected to be up and running shortly . Executive director Waller McGuire said the library immediately reached out to the FBI for help with the investigation , and it ’ s not clear where the infection began , nor how it spread throughout the library network . “ The real victims of this criminal attack are the Library ’ s patrons . SLPL has worked hard to open a secure but widely available digital world to the people of St. Louis , and I am sorry it was interrupted , ” McGuire said in a letter to library patrons published on Monday . “ An attempt to hold information and access to the world for ransomAttack.Ransomis deeply frightening and offensive to any public library , and we will make every effort to keep that world available to our patrons ” . McGuire also said that patrons ’ personal and financial information is not stored on its servers , and none of that data was impacted by the attack . Louis Public Library has been working with the FBI to identify how criminals broke into our system and correct the problem , ” McGuire said . “ I apologize to patrons for any inconvenience this incident has caused : on most days thousands of St. Louis Public Library patrons check out materials and use computers for many purposes ” . A request for additional comment from McGuire was not returned in time for publication . It ’ s unknown which ransomware family was used to attack the library , nor how the infection started . McGuire said in his letter to patrons that criminals broke into the library network and installed malware . This runs contrary to most ransomware infections where the malware is spread in spam or phishing emails enticing the victim to open a malicious email attachment or click on a link in the message that downloads the malware . The St. Louis library is the latest in a growing list of high-profile businesses and public services falling victim to ransomware . Less than a year has passed since the Hollywood Presbyterian attackAttack.Ransom, in which a $ 17,000 ransom was paidAttack.Ransom, and the Kentucky Methodist Hospital attackAttack.Ransom, in which officials reportedly refused to payAttack.Ransom. The University of Calgary also fell victim as have other colleges , universities , local law enforcement and government agencies , and entertainment organizations .
Services are being restored to the St. Louis Public Library computer system after a ransomware attackAttack.Ransomlast Thursday impacted access to machines and data at all 17 branches . Library management refused to payAttack.Ransomthe $ 35,000 demanded as ransomAttack.Ransom, and IT staff wiped affected servers and restored them from available backups . On Friday , the library was able to restart its circulation workflow , and patrons were able to check out books at all locations . By Saturday , checkout and returns systems were at 100 percent availability , and now only the library ’ s reserve system remains to be restored . That work began on Monday and is expected to be up and running shortly . Executive director Waller McGuire said the library immediately reached out to the FBI for help with the investigation , and it ’ s not clear where the infection began , nor how it spread throughout the library network . “ The real victims of this criminal attack are the Library ’ s patrons . SLPL has worked hard to open a secure but widely available digital world to the people of St. Louis , and I am sorry it was interrupted , ” McGuire said in a letter to library patrons published on Monday . “ An attempt to hold information and access to the world for ransomAttack.Ransomis deeply frightening and offensive to any public library , and we will make every effort to keep that world available to our patrons ” . McGuire also said that patrons ’ personal and financial information is not stored on its servers , and none of that data was impacted by the attack . Louis Public Library has been working with the FBI to identify how criminals broke into our system and correct the problem , ” McGuire said . “ I apologize to patrons for any inconvenience this incident has caused : on most days thousands of St. Louis Public Library patrons check out materials and use computers for many purposes ” . A request for additional comment from McGuire was not returned in time for publication . It ’ s unknown which ransomware family was used to attack the library , nor how the infection started . McGuire said in his letter to patrons that criminals broke into the library network and installed malware . This runs contrary to most ransomware infections where the malware is spread in spam or phishing emails enticing the victim to open a malicious email attachment or click on a link in the message that downloads the malware . The St. Louis library is the latest in a growing list of high-profile businesses and public services falling victim to ransomware . Less than a year has passed since the Hollywood Presbyterian attackAttack.Ransom, in which a $ 17,000 ransom was paidAttack.Ransom, and the Kentucky Methodist Hospital attackAttack.Ransom, in which officials reportedly refused to payAttack.Ransom. The University of Calgary also fell victim as have other colleges , universities , local law enforcement and government agencies , and entertainment organizations .