When did the City of Atlanta attack take place?
On March 22, 2018, the City of Atlanta identified that its operating systems and security services had fallen victim to a ransomware attack. Some City of Atlanta records were also lost during the data breach and many government employees had to create hard copies of documents.
Before the attack, the City of Atlanta was found to have a weakened IT infrastructure, making it increasingly vulnerable to a potential cyberattack. An auditor report, dated January 2018, found that:
- The city’s Information Security Management System (ISMS) incorporated “missing or outdated policies, procedures, and guidance documents”
- Up to 1,500-2,000 severe vulnerabilities were present
- Close to 100 government servers were running outdated software
- There was a “lack of formal processes to identify, assess, and mitigate risks”
A lack of robust security protocols, alongside employee complacency towards cybersecurity, created the perfect environment for a cyberattack. On March 22, the Department of Atlanta Information Management was notified of disruptions across several internal and customer applications, “including some applications customers use to pay bills or access court-related information.”
Infecting public wi-fi systems, including airport Wi-Fi, as well as the city’s municipal systems and networks, the ransomware attack impacted citizens’ abilities to access confidential or sensitive data, utilize customer-facing applications, complete financial transactions, and pay bills online. Up to a third of local applications were also encrypted, rendering systems, files, and documents inaccessible. To keep pace with this sudden disruption, companies had to revert to handwriting notes and records.
Identified as a ransomware attack, notably SamSam ransomware, government employees that attempted to access affected systems and networks were asked to pay up to $50,000 in Bitcoin to obtain the private key that would remove the virus and grant access to their applications.
What is SamSam?
SamSam ransomware is a type of malware that monitors network activities to gain further information about ongoing operations and assess potential vulnerabilities. This is unlike other famous ransomware, such as WannaCry and Petya, which attack immediately upon breaching the targeted networks. SamSam allows the bad actor to take a deep dive into the network to ensure maximum damage and vast ransom payments. It also removes any existing backups that could be used to counteract the attack.
Hackers can manually gain access to outdated network servers and system data by:
Once they have entered the network, a hacker can gain administrative authorization and privileges, allowing them to implement additional malware without being detected and disable security tools, such as two-factor authentication, to evade detection.
SamSam ransomware is unique, as it encrypts data, files, and servers, but also all foundational elements and applications that could aid in rebooting any hardware. This makes the recovery of data an arduously slow process. Creating files and encrypting them with unique Advanced Encryption Standard (AES) keys and RSA public keys will make accessing files impossible and will guarantee that a ransom payment will need to be completed for files to be successfully decrypted.
Once the cybercriminal completes their operation, a ransom demand is made, requesting payment through an open-source Tor website. Once paid, a cryptographic key that enables the network to be decrypted is provided.
How did the city respond?
It is unclear whether the City of Atlanta government paid the ransom, but the total financial impact of the ransomware attack was unprecedented. Following the request for a $50,000 payment in Bitcoin, hackers removed the page allowing for a payment to be made, leading the city to implement emergency measures to manage the impact.
What were the consequences of the Atlanta ransomware attack?
The City of Atlanta spent over $2.6 million in emergency contracts to counteract the effect of the SamSam ransomware attack and restore its computer systems and services. The cyberattack affected five of the city's 13 local government departments for five days. This bill consisted of incident and response services from Edelman at a $50,000 cost, staffing costs at Atlanta Information Management (AIM), expertise from private firm Secureworks, and public sector experts Cisco and Microsoft Cloud to bring systems back online.
Systems that were affected by the City of Atlanta ransomware attack between March 22 and April 2 included Atlanta’s Municipal Court, utility payment services, and parking services, all of which had to revert to manual processing. These included online and in-person payment systems for basic services, such as water bills.
Important transport facilities that remain unaffected included Hartsfield-Jackson Atlanta International Airport, which kept its public Wi-Fi disabled upon the advice of the FBI, the Secret Service, and the Department of Homeland Security. Unlike the ransomware attack on UK hospitals that significantly hit mission-critical services, such as fire, police, and healthcare services, Atlanta’s health services were not directly affected.
Five days after the attack, the City of Atlanta launched an information hub for updates, informing employees and residents that they were able to switch their computers back on, but that a large number of services remained unavailable. Although certain services were immediately operational for employees, such as email, Oracle, and Accela, services not immediately available included public airport Wi-Fi at ATL, online water bill payment (not operational until May), and the court’s online payment option (not operational until June). However, some services or data remained permanently erased, including several legal documents and police video files.
Following the breach, City of Atlanta Mayor Keisha Lance Bottoms and several C-level executives stated that no citizen data had been compromised and that cybersecurity would remain at the forefront of government policies moving forward. The city appointed its new Chief Information Officer, Gary Brantley, in September 2018, alongside a new Chief Operations Officer and Director of Emergency Preparedness in June the following year.
In December 2018, the US Department of Justice announced that a federal grand jury in Atlanta charged two Iranian nationals with the sophisticated ransomware attack that infected approximately 3,789 computers belonging to the City of Atlanta, including servers and workstations. The government acknowledged that the attack “significantly disrupted City of Atlanta operations, impaired certain governmental functions, and caused it to incur substantial expenses in the coming weeks and months. To date, the attack has inflicted millions of dollars in losses.”
What can be learned from the Atlanta ransomware attack?
The Atlanta ransomware attack did not occur in isolation – ransomware attacks continue to evolve and grow in both size and sophistication, so it is vital for public and private businesses to implement robust cybersecurity processes.
Resulting from weakened or outdated security software and IT practices, hackers can exploit potential vulnerabilities across business networks and hold data and services ransom until a payment is made. Another example of a high-profile attack is the Baltimore ransomware incident in 2019, where cybercriminals infected government systems and servers with ransomware due to inadequate and outdated cybersecurity protocols.
While some businesses opt to pay the ransom, there is no guarantee that hackers will provide the ransomware decryption tools to restore encrypted systems and services. With ransomware remaining a continual threat to businesses, it is vital to prevent and protect your network by introducing an effective Disaster Recovery Plan and investing in robust security tools.