SamSam group deletes Atlanta's contact portal after the address goes public

An image shared with local media during the early stages of a SamSam ransomware infection in Atlanta exposed the contact portal assigned to the city by the group responsible. In addition, the image exposed wallet used by the attackers to collect ransom payments.

When questioned about their actions via the exposed portal, the SamSam group first demanded payment in exchange for answers, and later deleted the contact form entirely, calling the questions and other comments spam

During a press conference on Monday, Atlanta Mayor Keisha Lance Bottoms said the city hasn't determined if they'll pay the ransom demanded by the attackers, which is 6 Bitcoin, or about $51,000 USD.

Yet, given the SamSam group's actions, it isn't clear if payment is even possible now, since they've deleted the communication portal. While it's possible other portals exist for the systems infected in Atlanta, the city hasn't released any technical details to the public.

The removal is a dramatic shift for a group known to provide victims with proof the decryption works. Think of it as a "try before you buy" type of service.

But, it doesn't sound like payment is a serious consideration for Atlanta. It was revealed during the press conference that Secure Works was brought in to assist the city. The company is said to have neutralized the threat and is working on getting systems back online.

The Bitcoin wallet listed in the exposed ransom note hasn't received any payments. If the city was going to pay, they have until Wednesday before the keys required are deleted by the SamSam group, per their normal seven-day policy.

Information Disclosure:

On Thursday, March 22 at around 05:00 a.m., the city of Atlanta learned it was the victim of a ransomware attack. The city scrambled incident response teams and moved quickly to deal with the infection.

Later that morning, local media broke the story and started covering the incident. Later coverage included publicizing a screenshot of the ransom note left on a city employee's computer.

At first glance, the note reveals the system's hostname, linking it to the Atlanta Police Department's Special Operations Section (SOS). Though it isn't clear if an employee of the agency is the source of the image itself.

The Atlanta PD's SOS provides a number of functions to the city, including traffic enforcement and management, accident investigations, mounted patrols, and permitting for events and gatherings.

Since the incident started, the city has stressed that no emergency systems were impacted by the ransomware, which includes 911 for police and fire dispatch.

SamSam strikes again:

Last time it was the Colorado Department of Transportation. Prior to that it was Allscripts and Hancock Health, along with several others. Now, it's the city of Atlanta.

The letter shared by local media during the early stages of the ransomware infection in Atlanta is clearly a SamSam ransom note.

The wording — including typos — is identical to the examples shared by researchers working for Cisco's Talos group earlier this year. The only difference is the directory where the contact portal is hosted.

The previously known contact portal (January 2018) is located at:

hxxp://jcmi5n4c3mvgtyt5.onion/familiarisingly/

Visitors to that address today can pay 0.5 Bitcoin to reactivate it, or $3,950 USD, based on current rates at the time this article was written.

The newest communication portal address broadcast by local media, before the SamSam actors pulled it down, was located at:

hxxp://jcmi5n4c3mvgtyt5.onion/nonpenetrable/

There is no restoration note for that address, just a 404 error.

The group deleted portal after being asked several questions concerning details of the attack against Atlanta, in addition to other comments and personal questions, such as if they're afraid of being caught by law enforcement.

A malware researcher at Flashpoint, who also noticed the ransom note's disclosure on local media, posted the details on Twitter, including a screenshot demonstrating that others had found the same information and were posting to the portal.

The portal itself is controlled server-side, as source code for the portal shows only basic HTML on the front end, so the SamSam group has full control over the posts and the content displayed to visitors.

Steve Ragan

Initially, the group demanded payment before they would answer any questions. But when pressed with additional questions in lieu of payment, the group said they would remove the portal due to spam and made good on their threat 24-hours later.

This is the first time a live portal has been exposed to the public during an SamSam incident. Usually the ransom notes with such details are only shared in a redacted form or long after the incident has happened, such was the case for the example shared by Cisco.

It's also the first time the SamSam group has publically deleted or deactivated a portal prior to the seven-day clock expiring. While it's possible they've taken such actions before, reports of those incidents haven't been shared publicly.

The portals are usually unique to each victim, and they're used for basic communication and to offer the ability to test decryption on two files free of charge, provided they're non-essential files.

As mentioned, the actual source of the image initially shared with the media remains unknown. However, once the letter was shown on live television, there was no way to keep it a secret.

Given the size of the city's workforce, trying to control messaging is a massive task and preventing leaks is often easier said than done.

According to Mayor Bottoms, security experts in the public and private sector have stepped up to help resolve the Atlanta's ransomware problem.

Previously, Mayor Bottoms shared praise and her thanks to teams from Cisco, Microsoft and Atlanta's Information Management department for their hard work and focus, as the city moves to implement business continuity measures.

Update:

In a statement Tuesday morning, the city of Atlanta said that it is entering recovery mode and advising employees to turn systems back on.

"Today, the City of Atlanta is advising its employees to turn on computers and printers for the first time since the March 22 cyberattack," the statement said.

"It is expected that some computers will operate as usual and employees will return to normal use. It is also expected that some computers may be affected or affected in some way and employees will continue using manual or alternative processes. This is part of the City’s ongoing assessment as part of the restoration and recovery process."