Atlanta Ransomware Attack Freezes City BusinessDamage Assessment Is Underway, But Backups Are in Place, Officials Say
Ransomware that struck the city of Atlanta early Thursday morning froze internal and customer-facing applications, but officials say backups are in place and they expect to pay city employees on time next week.
See Also: 2020 Global Threat Report
The ransomware has hampered citizens from paying bills and accessing court-related information, Mayor Keisha Lance Bottoms said at a press conference about 12 hours after the attack started. The city's police department, water services and airport aren't affected.
The city is evaluating if personal data may be at risk, but is advising employees to monitor bank accounts, online statements and contact credit agencies, Bottoms says. The investigation should determine whether personal, financial or employee information has been compromised, she says.
Atlanta is working with FBI, the Department of Homeland Security and experts from Microsoft and Cisco.
"We have been working diligently all day long to come to some type of resolution," Bottoms says.
The FBI says it is "coordinating with the city of Atlanta to determine what happened."
Backups In Place
Atlanta COO Richard Cox - in his first week on the job - says the ransomware encrypted some city data, but experts are still evaluating the damage. He says the city has not received further communications from the attackers.
The city discovered the attack after the security team "noticed something that looked peculiar," on a server, says Daphne Rackley, deputy CISO.
The city has been migrating applications to cloud services in part to mitigate risk, Rackley says. Backup systems are in place, which are helping with restoration, but the city is still investigating the scope of the attack.
"This is not a new issue to the state of Georgia or our country," Rackley says. "We have been taking measure to mitigate risk."
While the police department wasn't affected, Chief Erika Shields says the department has reverted to a paper reporting system.
The attack had no other effect on the police department "other than not being able to spend time on the internet, which is probably a good thing," Shields joked.
The City of Atlanta is currently experiencing outages on various customer facing applications, including some that customers may use to pay bills or access court-related information. We will post any updates as we receive them. pic.twitter.com/kc51rojhBl— City of Atlanta, GA (@Cityofatlanta) March 22, 2018
Suspected: SamSam Ransomware
Local news broadcaster Alive11 obtained a screenshot of an infected computer from a city employee. Although it did not publish the screenshot, the broadcaster reports the ransom note demands about $6,800 per computer or $51,000, payable in the virtual currency bitcoin, to unlock all of the city's computers.
When asked if the city would pay the ransom, Bottoms said Thursday: "We can't speak to that right now." The city will consult with federal agencies on the best course of action.
Law enforcement generally advises infected organizations against paying ransom because it provides an incentive for future attacks. Businesses, however, sometimes do pay if there's no other recourse to restoring systems. But there's no guarantee that a decryption key will be delivered, making it a risky proposition (see Please Don't Pay Ransoms, FBI Urges).
The city is due to pay its 8,000 employees on March 30. Bottoms says she doesn't expect payroll payments to be disrupted.
Alive11 reports that it passed the screenshot to Andrew Green, a lecturer of information security and assurance at Kenneshaw State University. The ransom message appears similar to one affiliated with SamSam, also known as MSIL.
In January, Cisco's Talos security group said SamSam has struck industrial control systems as well as healthcare and government organizations. SamSam has been around since at least 2015. Cisco says attacks using SamSam tend to be opportunistic rather than highly targeted.
The infection vector for SamSam attacks in 2016 was vulnerable JBoss application server installations (see JBoss Servers: Ransomware Campaign Alert). The attacks earlier this year may have been compromised remote desktop protocol or virtual network computing servers, Cisco says.
In January, Hancock Health in Greenfield, Ind., paid a $55,000 ransom after patient files were locked with a version of SamSam (see Why Some Healthcare Entities Pay Ransoms).
Hancock Health CEO Steve Long told the Daily Reporter that the company could have restored the files, but it would have been costly and taken days or weeks. Luckily after paying the ransom, the organization did receive working decryption keys.
"These folks have an interesting business model," he told the newspaper. "They make it just easy enough [to pay the ransom]. They price it right."