Published Date: 2018-03-26
| Postmortem Analysis | |
|---|---|
| Timeline | 1. The software failure incident in Atlanta happened on March 22, 2018 [68979]. 2. The incident involving the City of Atlanta occurred between December 2015 and March 2018 [70312]. |
| System | 1. City of Atlanta's online systems [Article 68979] 2. Atlanta's municipal government's desktops, hard drives, and printers [Article 69247] 3. Atlanta's court system computers [Article 77895] |
| Responsible Organization | 1. The SamSam hacking crew was responsible for causing the ransomware attack on the City of Atlanta [69247, 68920]. 2. Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri, two Iranian men, were responsible for hacking into American hospitals, universities, government agencies, and the city of Atlanta [77895]. |
| Impacted Organization | 1. City of Atlanta [69247, 68920, 70312, 77895, 68979] |
| Software Causes | 1. Ransomware attack using the SamSam malware caused the failure incident in the City of Atlanta [69247, 68920, 70312, 77895]. 2. The ransomware attack targeted vulnerable systems and encrypted data, demanding a ransom in exchange for decryption keys [68920, 70312, 77895]. 3. The ransomware attack exploited vulnerabilities or weak passwords in public-facing systems to infiltrate networks [68920, 70312, 77895]. 4. The ransomware attack did not rely on phishing but used techniques like brute-force attacks to guess weak passwords [77895]. 5. The ransomware attack involved the use of the EternalBlue exploit developed by the National Security Agency [77895]. |
| Non-software Causes | 1. Lack of preparedness and cybersecurity measures within the City of Atlanta's digital infrastructure [Article 68920] 2. Exploitation of vulnerabilities in the city's public-facing systems and weak passwords [Article 68920] 3. Failure to address known vulnerabilities in the city's networks [Article 70312] 4. Limited IT budget and resources allocated to cybersecurity within municipalities [Article 70312] |
| Impacts | 1. Residents in Atlanta were unable to pay their traffic tickets, water bills online, or report issues like potholes or graffiti on the city website [69247]. 2. Travelers at the Atlanta airport were unable to use the free Wi-Fi [69247]. 3. The Atlanta Municipal Court was unable to validate warrants, police officers had to write reports by hand, and the city stopped taking employment applications [69247]. 4. Court proceedings were canceled, and job applications with the city were suspended [68979]. 5. The city's payroll was unaffected, but other services like water service requests and planning services were impacted [68979]. 6. The attack caused disruptions in five of the city's 13 local government departments, affecting vital communications and services [68920]. 7. The attack led to serious digital disruptions, crippling the court system, hindering revenue collection, and forcing police to file reports on paper [68920]. 8. The attack resulted in the city spending over $2.6 million on emergency efforts to respond to the ransomware incident [70312]. 9. The attack caused damages exceeding $30 million, with more than 200 victims affected and over $6 million in ransom collected [77895]. |
| Preventions | 1. Implementing regular software updates and patches to address known vulnerabilities could have prevented the software failure incident [Article 77895]. 2. Enhancing network security measures, such as using strong passwords and implementing network segmentation, could have helped prevent the ransomware attack [Article 70312]. 3. Developing a formal cybersecurity policy and strategy, along with providing cybersecurity training to employees to recognize and avoid phishing attempts, could have improved the city's defenses against cyberattacks [Article 69247]. 4. Investing in cybersecurity measures on the same level as public safety, as suggested by cybersecurity experts, could have strengthened the city's digital infrastructure and prevented the attack [Article 69247]. |
| Fixes | 1. Investing in software updates, backups, and network segmentation to protect against ransomware attacks [Article 77895] 2. Developing a formal cybersecurity policy and a written strategy to recover from breaches for local governments [Article 69247] 3. Implementing preventive measures like training employees to spot and sidestep phishing attempts [Article 69247] 4. Strengthening information security management systems and formal processes to identify, assess, and mitigate risks [Article 70312] 5. Enhancing cybersecurity defenses for vulnerable targets like hospitals, schools, and local governments [Article 68920] | References | 1. City officials and spokespersons [69247, 68920, 70312, 77895] 2. Mayor Keisha Lance Bottoms [69247, 68979] 3. Security experts and firms like Dell SecureWorks, Cisco Security, and SecureWorks [69247, 68920, 70312] 4. Threat researchers [69247, 68920] 5. The Justice Department [77895] 6. U.S. Attorney for the District of New Jersey [77895] 7. Treasury Department [77895] 8. Cybersecurity experts [77895] 9. SecureWorks CEO Mike Cote [68979] |
| Category | Option | Rationale |
|---|---|---|
| Recurring | one_organization, multiple_organization | (a) The software failure incident having happened again at one_organization: - The City of Atlanta experienced a ransomware attack in 2018, which caused serious disruptions in the city's operations [Article 68920]. - Atlanta faced a ransomware attack that affected various departments, leading to digital disruptions and financial damages [Article 70312]. - The ransomware attack on Atlanta resulted in significant financial costs for emergency response efforts to recover from the incident [Article 70312]. (b) The software failure incident having happened again at multiple_organization: - The SamSam ransomware, used in the Atlanta attack, was also deployed in attacks against other entities such as the city of Newark, the port of San Diego, and health care-related entities [Article 77895]. - The SamSam ransomware has been used in attacks against various organizations, including hospitals, universities, and government agencies, causing significant financial damages [Article 77895]. |
| Phase (Design/Operation) | design, operation | (a) In the software failure incident in Atlanta, the ransomware attack that affected the city's systems was a result of vulnerabilities introduced during system development and operation. The attackers deliberately engaged in digital blackmail, attacking vulnerable victims like hospitals and schools, knowing they would be willing to pay the ransom [77895]. The attackers infiltrated networks and pre-positioned the ransomware on key servers before triggering it, causing maximum damage immediately [77895]. (b) The ransomware attack in Atlanta disrupted various city services, such as residents being unable to pay water bills or parking tickets, police having to write reports by hand, and court proceedings being canceled [68979]. The attack impacted the city's online systems, leading to the suspension of job applications and rescheduling of court dates [68979]. The incident highlighted the need to focus on the security of digital infrastructure to prevent such operational failures in the future [68979]. |
| Boundary (Internal/External) | within_system, outside_system | (a) The software failure incident in Atlanta was primarily within the system. The ransomware attack that affected the city's online systems originated from within the system, causing disruptions to various city departments, including the court system, water bill payments, police reports, and more [68979]. The attack involved the SamSam ransomware, which infiltrated the systems and encrypted data, making it impossible for users to access their files without paying a ransom [70312]. The attackers deliberately targeted vulnerable victims like hospitals and schools, knowing they would be willing to pay, indicating an internal origin of the attack [77895]. (b) The software failure incident also had contributing factors originating from outside the system. The ransomware attack on Atlanta was linked to a hacking crew known as SamSam, which is believed to be based in Iran [77895]. The attackers demanded ransom payments in bitcoin and exchanged the proceeds into Iranian rial using Iran-based bitcoin exchangers [77895]. Additionally, the attack involved exploiting vulnerabilities in the systems of various organizations, including the city of Atlanta, indicating external factors at play [70312]. |
| Nature (Human/Non-human) | non-human_actions, human_actions | (a) The software failure incident occurring due to non-human actions: - The City of Atlanta experienced a ransomware attack, specifically the SamSam ransomware, which shut down the city's online systems [68979]. - The SamSam ransomware attack on Atlanta was part of a criminal scheme to extort money, with the attackers deliberately engaging in digital blackmail by attacking vulnerable victims like hospitals and schools [77895]. - The SamSam ransomware used in the attack on Atlanta was first identified in 2015 and gained prominence after affecting various entities, including the city of Atlanta, the port of San Diego, and health care-related entities [77895]. (b) The software failure incident occurring due to human actions: - The ransomware attack on Atlanta was orchestrated by two Iranian men, Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri, who were charged with hacking into American hospitals, universities, government agencies, and the city of Atlanta, causing significant damages [77895]. - The attackers behind the SamSam ransomware attack on Atlanta deliberately chose vulnerable targets like hospitals and schools, knowing they would be willing and able to pay the ransom [77895]. - The city of Atlanta struggled to keep its government running after the ransomware attack, impacting services such as water bill payments, parking tickets, and court proceedings, with employees resorting to manual processes like writing reports by hand [68979]. |
| Dimension (Hardware/Software) | software | (a) The software failure incident occurring due to hardware: - There is no specific mention in the provided articles about the software failure incident in Atlanta being caused by hardware issues. The incident primarily revolved around a ransomware attack that affected the city's computer systems and networks, leading to disruptions in various services and operations [69247, 68920, 70312, 77895, 68979]. (b) The software failure incident occurring due to software: - The software failure incident in Atlanta was primarily caused by a ransomware attack, specifically the SamSam ransomware. The attack encrypted data on affected systems, making it impossible for victims to access their computer files until a ransom was paid [69247, 68920, 70312, 77895, 68979]. |
| Objective (Malicious/Non-malicious) | malicious | (a) The software failure incident in Atlanta was malicious in nature. It was a ransomware attack orchestrated by a hacking group known as SamSam, aiming to extort money from the city by encrypting its computer systems and demanding a ransom to unlock them [69247, 68920, 70312, 77895]. The attackers deliberately targeted vulnerable victims like hospitals, schools, and local governments, knowing they would be willing to pay the ransom [68920]. The attackers demanded a ransom paid in bitcoin in exchange for decryption keys to recover the data [77895]. The attack caused significant disruptions in various city departments, leading to financial losses and damages exceeding millions of dollars [77895]. The attackers used sophisticated techniques to infiltrate systems and deploy the ransomware, indicating a deliberate and targeted approach to extort money from victims [77895]. (b) The software failure incident was non-malicious in the sense that it was not caused by accidental or unintentional factors. It was a deliberate cyberattack with the intent to disrupt the city's operations and extort money [69247, 68920, 70312, 77895]. The attack was not a random occurrence but a carefully planned and executed operation by the hackers [77895]. The city officials had to resort to manual processes and workarounds to keep essential services running in the absence of digital systems [68979]. The incident highlighted the importance of strengthening digital infrastructure and cybersecurity measures to prevent future attacks [68979]. |
| Intent (Poor/Accidental Decisions) | poor_decisions | (a) The intent of the software failure incident: - The software failure incident in Atlanta was not due to accidental decisions but rather poor decisions. The attackers deliberately engaged in a form of digital blackmail, targeting vulnerable victims like hospitals and schools who they knew would be willing and able to pay the ransom [77895]. - The attackers behind the ransomware attack on Atlanta's systems deliberately chose their targets carefully, such as local governments, hospitals, universities, and industrial control services, to extort ransom payments [68920]. |
| Capability (Incompetence/Accidental) | development_incompetence | (a) The software failure incident occurring due to development incompetence: - The ransomware attack on the City of Atlanta was a result of a deliberate cyberattack by hackers known as the SamSam hacking crew, who engaged in extreme digital blackmail targeting vulnerable victims like hospitals and schools [69247]. - The attackers behind the SamSam ransomware were accused of conspiring to hack and extort victims for personal profit, indicating a deliberate and sophisticated approach to cyber extortion [77895]. (b) The software failure incident occurring accidentally: - The ransomware attack on the City of Atlanta was not accidental but a deliberate cyberattack by the SamSam hacking crew, targeting specific vulnerable victims for financial gain [69247]. - The ransomware attack on the City of Atlanta was described as an attack on the government, indicating a deliberate and intentional act rather than an accidental incident [68979]. |
| Duration | temporary | The software failure incident in Atlanta was temporary. The incident was caused by a ransomware attack that shut down the city's online systems, impacting various services such as water bill payments, parking tickets, police reports, and court proceedings [Article 68979]. The attack led to disruptions for over six days, with employees resorting to manual processes like writing reports by hand [Article 68979]. The city's public safety services, airport functions, and payroll were unaffected by the attack [Article 68979]. The incident was described as an attack on the government affecting all residents, and the city was working on establishing manual workarounds to keep operations running [Article 68979]. |
| Behaviour | crash, omission, value, other | (a) crash: The software failure incident in Atlanta resulted in a crash as the city's online systems were shut down due to a ransomware attack, causing disruptions in various services such as water bill payments, parking tickets, and court proceedings [Article 68979]. (b) omission: The ransomware attack in Atlanta led to the omission of various digital processes and services, forcing employees to resort to manual workarounds like writing reports by hand and suspending job applications with the city [Article 68979]. (c) timing: The ransomware attack in Atlanta did not involve a timing failure as the system was not performing its intended functions too late or too early; rather, it was completely shut down due to the cyberattack [Article 68979]. (d) value: The software failure incident in Atlanta resulted in a value failure as the attackers demanded a ransom of $51,000, and the recovery from the attack was estimated to have cost the city's taxpayers more than $9 million [Article 68979]. (e) byzantine: The software failure incident in Atlanta did not exhibit a byzantine behavior as there were no mentions of inconsistent responses or interactions in the articles. (f) other: The software failure incident in Atlanta also involved a ransomware attack that encrypted data on affected systems, making it impossible for victims to access their own computer files unless a ransom was paid [Article 77895]. |
| Layer | Option | Rationale |
|---|---|---|
| Perception | None | None |
| Communication | None | None |
| Application | None | None |
| Category | Option | Rationale |
|---|---|---|
| Consequence | property | (d) property: People's material goods, money, or data was impacted due to the software failure From the articles: - The ransomware attack on the City of Atlanta impacted residents' ability to pay their water bills or parking tickets online, and police had to write reports by hand [68979]. - The ransomware attack demanded a ransom of $51,000 from the city, and the recovery from the attack was estimated to have cost the city's taxpayers more than $9 million [77895]. - The ransomware attack caused serious digital disruptions in five of the city's 13 local government departments, affecting court proceedings, water bill payments, and other services [68920]. - The ransomware attack on Atlanta led to emergency efforts costing over $2.6 million to respond to the attack, with expenses related to incident response, digital forensics, and crisis communications [70312]. - The ransomware attack on Atlanta resulted in the city spending $50,000 on crisis communications services and $600,000 on incident response consulting [70312]. |
| Domain | information, health, government | (a) The failed system in the City of Atlanta was intended to support the information industry. The ransomware attack affected the city's online systems, causing disruptions in services like paying water bills, parking tickets, and court proceedings [Article 68979]. (l) The failed system in the City of Atlanta was related to the government industry. The ransomware attack impacted various government departments, leading to disruptions in services provided by the city government, such as court proceedings, job applications, and revenue collection [Article 68979]. (m) The failed system in the City of Atlanta was also related to the health industry. The SamSam ransomware was used in attacks against health care-related entities in addition to other targets like the city of Atlanta, the port of San Diego, and the Colorado Department of Transportation [Article 77895]. |
Article ID: 69247
Article ID: 68920
Article ID: 70312
Article ID: 77895
Article ID: 68979