Atlanta City Government Ransomware

Original Article:


Ransomware attacks seem to be pretty easy for an organization to prevent. Except it is not. All it takes is one end-user to click on a malicious link and the payload is installed. The payload might have been installed months ago and due to the logic of the ransomware it automagically came to life. So, if it only takes unaware, unsuspecting, or untrained end-user to invoke the demons of ransomware into the production environment, what steps can we take to minimize the effectiveness of ransomware? Here are some things that come to mind:


  • Ensure All Incoming and Outgoing email is scanned, including links, for reputation based outcomes. If links are embedded in the email and the system cannot perform a positive reputation hit, strongly consider rejecting the email.
  • All Incoming email should have the ‘Subject Line’ tagged with wording that will alert the user that the email originated from outside of the organization. i.e. EXT (For External)
  • All Incoming email should have the body of the email appended, with color coding that changes frequently, that will alert the user to take caution as this email originated from outside the organization. Therefore, links should be even more suspect.

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

Training End-users:

  • Of course users should have some type of training, perhaps through Wombat or some other type of Phishing company. It is likely that the majority of people just click through the training and take the test at the end. Just because this is the case doesn’t mean we shouldn’t perform the training. Even if it improves one person’s likelihood of not clicking on a malicious link.
  • Perform enterprise-wide tests on phishing. Be crafty. Attempt to perform the same methods that the bad actors use and determine if your defenses are effective.

Training Security Operations:

  • Bad actors evolve, their methods evolve, and so should our security operations personnel. Invest in your people.


  • Do not give end-users elevated privileges on their systems. These are business systems. If the access is not granted then very challenging for a non-approved application to gain access to the system.
  • For the love of God/Linux/Apple/Money or whatever you choose to worship – PATCH YOUR SYSTEMS! If the system is patched less chance for a malicious application to take advantage of a vulnerability, because the vulnerability has been mitigated.
  • Utilize proper endpoint protection – Cisco AMP, Crowdstrike Falcon, Carbon Black Endpoint to name a few. Ensure that only approved applications can be executed.
  • Add time as an element. If all of your end-user systems are re-imaged every quarter over the wire then any malicious application that somehow made its way onto your workstation/laptop then it is now removed. Now, the attacker has to defeat time as well as your defenses.


  • Utilize DNS based web traffic enforcement: Cisco Umbrella, Crowdstrike Falcon DNS, Or Websense. This is just another layer of protection to your enterprise. If any of these detect a known malicious DNS call then the malicious application fails.

Certainly there is more to it than the above. I just happen to see the above fail so many times and that is why malware gets into the environment.