Cybercrime as-a-service , Fraud Management & Cybercrime , Malware as-a-Service

Atlanta Ransomware Attack Freezes City Business

Damage Assessment Is Underway, But Backups Are in Place, Officials Say
Atlanta Ransomware Attack Freezes City Business

Ransomware that struck the city of Atlanta early Thursday morning froze internal and customer-facing applications, but officials say backups are in place and they expect to pay city employees on time next week.

See Also: Preventing an Inside Job: Detection, Technology and People

The ransomware has hampered citizens from paying bills and accessing court-related information, Mayor Keisha Lance Bottoms said at a press conference about 12 hours after the attack started. The city's police department, water services and airport aren't affected.

Atlanta Mayor Keisha Lance Bottoms.

The city is evaluating if personal data may be at risk, but is advising employees to monitor bank accounts, online statements and contact credit agencies, Bottoms says. The investigation should determine whether personal, financial or employee information has been compromised, she says.

Atlanta is working with FBI, the Department of Homeland Security and experts from Microsoft and Cisco.

"We have been working diligently all day long to come to some type of resolution," Bottoms says.

The FBI says it is "coordinating with the city of Atlanta to determine what happened."

Backups In Place

Atlanta COO Richard Cox - in his first week on the job - says the ransomware encrypted some city data, but experts are still evaluating the damage. He says the city has not received further communications from the attackers.

The city discovered the attack after the security team "noticed something that looked peculiar," on a server, says Daphne Rackley, deputy CISO.

The city has been migrating applications to cloud services in part to mitigate risk, Rackley says. Backup systems are in place, which are helping with restoration, but the city is still investigating the scope of the attack.

"This is not a new issue to the state of Georgia or our country," Rackley says. "We have been taking measure to mitigate risk."

While the police department wasn't affected, Chief Erika Shields says the department has reverted to a paper reporting system.

The attack had no other effect on the police department "other than not being able to spend time on the internet, which is probably a good thing," Shields joked.

Suspected: SamSam Ransomware

Local news broadcaster Alive11 obtained a screenshot of an infected computer from a city employee. Although it did not publish the screenshot, the broadcaster reports the ransom note demands about $6,800 per computer or $51,000, payable in the virtual currency bitcoin, to unlock all of the city's computers.

When asked if the city would pay the ransom, Bottoms said Thursday: "We can't speak to that right now." The city will consult with federal agencies on the best course of action.

Law enforcement generally advises infected organizations against paying ransom because it provides an incentive for future attacks. Businesses, however, sometimes do pay if there's no other recourse to restoring systems. But there's no guarantee that a decryption key will be delivered, making it a risky proposition (see Please Don't Pay Ransoms, FBI Urges).

The city is due to pay its 8,000 employees on March 30. Bottoms says she doesn't expect payroll payments to be disrupted.

Alive11 reports that it passed the screenshot to Andrew Green, a lecturer of information security and assurance at Kenneshaw State University. The ransom message appears similar to one affiliated with SamSam, also known as MSIL.

A SamSam ransomware notice published by Cisco Talos in January.

In January, Cisco's Talos security group said SamSam has struck industrial control systems as well as healthcare and government organizations. SamSam has been around since at least 2015. Cisco says attacks using SamSam tend to be opportunistic rather than highly targeted.

The infection vector for SamSam attacks in 2016 was vulnerable JBoss application server installations (see JBoss Servers: Ransomware Campaign Alert). The attacks earlier this year may have been compromised remote desktop protocol or virtual network computing servers, Cisco says.

In January, Hancock Health in Greenfield, Ind., paid a $55,000 ransom after patient files were locked with a version of SamSam (see Why Some Healthcare Entities Pay Ransoms).

Hancock Health CEO Steve Long told the Daily Reporter that the company could have restored the files, but it would have been costly and taken days or weeks. Luckily after paying the ransom, the organization did receive working decryption keys.

"These folks have an interesting business model," he told the newspaper. "They make it just easy enough [to pay the ransom]. They price it right."


About the Author

Jeremy Kirk

Jeremy Kirk

Managing Editor, Security and Technology, ISMG

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.