As ransomware hobbled Atlanta, banks drilled for next iteration of attacks
As the Atlanta city government struggled to recover from March’s ransomware attack, cybersecurity personnel from U.S. banks huddled two miles from city headquarters to practice dealing with the same type of disruptive malware.
The exercise, which assembled 18 financial institutions and the industry’s threat-sharing center, simulated a bank’s computer network and tasked participants with defeating “WannaCry-like” ransomware, according to ManTech International Corp., the cybersecurity company that hosted the drill in April.
Participants, including big U.S. banks, connected to ManTech’s Advanced Cyber Range Environment (ACRE), a computing facility that can test network defenses against various strains of malware. Some participated from the Federal Reserve office in midtown Atlanta, according to ManTech spokesman Jim Crawford.
In this case, exercise planners mimicked the WannaCry ransomware, which struck more than 300,000 computers in 150 countries last year. The company already had practice using that virus for ACRE training “when it was still in the wild,” Brett Barraclough, a ManTech executive who works with ACRE, told CyberScoop.
Depending on the exercise scenario, “we’re able to dial down some of the malicious nature of the ransomware or dial it up,” Barraclough said. It was more important for this exercise to test banks’ procedures for repelling ransomware than to focus on a specific type of malware, he added.
The March 22 SamSam ransomware attack on Atlanta’s municipal agencies, which disrupted online processing for residents’ utility bills and court cases, has become a case study in the nexus of aging government IT networks and potent malware. The attack plagued city services for weeks and served as a wake-up call for Mayor Keisha Bottoms in her first months in office.
With the SamSam attack fresh in their minds, participants in the ManTech exercise had to determine how it had spread through their fictional networks, and then cut off its ability to execute “command and control” functions. Cybersecurity staff from participating banks were charged with keeping networks functions while ridding the machines of the malware. The exercise — like many notable cyberattacks in real life — started with a simple phishing email.
The goal of the ManTech drill was for financial institutions to “precisely measure the effectiveness of their existing cyber defenses in order to accurately budget for any needed enhancements,” Yvonne Vervaet, a senior vice president at ManTech, said in a statement.
Cybersecurity analysts credit the Financial Services Information Sharing and Analysis Center (FS-ISAC) that participated in the drill for being one of the more advanced threat-sharing hubs in private industry.
“All critical infrastructure industries, especially financial institutions, should perform regular, realistic exercises to build up their resilience muscle memory,” FS-ISAC CEO Bill Nelson said in a statement.
CyberScoop last week reported on a confidential agreement between a subunit of FS-ISAC and U.S. Cyber Command to keep the command apprised of advanced threats against American banks.
