Atlanta officials still 'working around the clock' to resolve ransomware attack

Federal officials, Microsoft and Cisco are working with the city of Atlanta to resolve the attack, but Atlanta's mayor won't say if the city paid the $51,000 ransom.

Atlanta officials still working to resolve ransomware attack

As of Saturday, Atlanta officials and federal partners were still “working around the clock” to resolve the ransomware attack on city computers that occurred around 5 a.m. on Thursday, March 22, and encrypted some financial and person data.

On Thursday, the official investigation included “the FBI, U.S. Department of Homeland Security, Cisco cybersecurity officials and Microsoft to determine what information has been accessed and how to resolve the situation.”

A city employee sent WXIA a screenshot of the ransom demand, which included a pay-per-computer option of $6,800 or an option to pay $51,000 to unlock the entire system.

CBS 46 reported that the ransom demand and instruction said:

  • Send .8 bitcoins for each computer or 6 bitcoins for all of the computers. (That's the equivalent of around $51,000.)
  • After the .8 bitcoin is sent, leave a comment on their website with the provided host name.
  • They’ll then reply to the comment with a decryption software. When you run that, all of the encrypted files will be recovered.

On Friday, March 23, city employees were handed a printed notice as they walked through the front doors. They were told not to turn on their computers until the issue was resolved. Officials were still unsure who was behind the attack.

Mayor Keisha Lance Bottoms advised city employees and customers to monitor their personal information, although there was no evidence to show customer or employee data was compromised. Mayor Bottoms clarified what services had not been impacted and were still available to residents and which ones had been impacted.

For example, the Department of Public Works' ATL311 website was disabled; it’s up and running now, but is “currently experiencing technical difficulties that may prevent you from submitting a new request to ATL311.” As for human resources, applications for new employment had been suspended; the Department of Corrections was manually processing inmates; and public Wi-Fi via the Department of Aviation had been “disabled out of an abundance of caution.” In other words, even if people were not from Atlanta, they could have felt the sting of the attack, as Hartsfield-Jackson Atlanta International Airport was noted as being the “world’s busiest airport.”

Mayor Bottoms will not say if Atlanta intends to pay the ransom demand, saying, “We will be looking for guidance from, specifically, our federal partners on how to best navigate the best course of action.”

During a press conference, Bottoms said, “What we want to make sure of is that we aren’t putting a Band-Aid on a gaping wound.” She then turned the press conference over to Richard Cox, the City of Atlanta's chief operations officer; the poor dude is brand new to serving as Atlanta’s COO. He confirmed the existence of the ransom demand but would not reveal the contents.

SamSam ransomware used in Atlanta attack

WXIA reported that SamSam ransomware was used to target Atlanta. As was reported by CSO’s Steve Ragan, the group behind SamSam is believed to have made almost $850,000 since December 2017. In Atlanta’s case, Ragan wrote, “The city has RDP exposed to the public, as well as VPN gateways, FTP servers, and IIS installations. Most of them have SMBv1 enabled, making the task of spreading the ransomware easier.”

Hopefully Atlanta will address all the issues that must be resolved to avoid becoming like the Colorado Department of Transportation, which was hit with ransomware twice in a little more than a week. Let's hope it is also faster than Davidson County, North Carolina, which needed a month to get its computer network fully operational after getting hit with a ransomware attack.


Copyright © 2018 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)