On Friday, city of Atlanta interim Chief Information Officer Daphne Rackley said the city would not pay the ransom. Mayor Keisha Lance Bottoms later said all options are on the table.
The city of Atlanta said its Information Management team learned of a computer outage at 5:40 a.m. Thursday, March 22, 2018.
That’s when the city says it was hit by a ransomware attack that has crippled some city departments. Since then, Atlanta Mayor Keisha Lance Bottoms has held a series of press conferences (Thursday, March 22; Friday, March 23; and Monday, March 26) about what she has called a “massive inconvenience” for the city and threat to national security.
On Monday, March 26, Sandy Springs-based cybersecurity firm SecureWorks CEO Michael Cote said his firm had completed the containment phase and part of the investigation and was helping the city of Atlanta transition to the recovery phase to restore critical systems.
On Tuesday, March 27, employees were told they could turn on their computers and printers again.
On the first day the city of Atlanta’s Chief Operating Officer Richard Cox learned of the attack, he said city officials wanted to let the public know as soon as possible. He said the attack may have impacted other agencies in Georgia.
“Security matters are ongoing and they’re impacting everyone,” Cox said. “In fact, we were advised of several agencies even here in Georgia that have been impacted. They’re really bad people that are moving quickly.”
Cox said the three departments that were not impacted by the attack were public safety, water services and Hartsfield-Jackson Atlanta International Airport.
Airport Internet Outage
Since Friday, March 23, the airport has turned off free WiFi for passengers and disabled security wait times and flight information updates on its website. Airport spokesman Reese McCranie said nearly 1,000 city of Atlanta employees working at the airport had very limited or no access to their e-mail and the internet. He said there was no timeline on when all services would be restored, but services were taken offline out of an “abundance of caution.”
Atlanta Police Department
City of Atlanta police chief Erika Shields confirmed public safety — including police, fire and 911 — was not impacted, but she said officers were issuing tickets and filing reports by hand as a precaution.
Atlanta Municipal Court
Parking tickets, reset forms and change of address forms can be paid for and completed in person at the court during normal business hours. However, all court dates are being rescheduled, and no failure-to-appear notices are being generated because of the computer outages. The Department of Corrections has been processing defendants who were arrested and taken to custody manually since Friday.
The Department of City Planning said information for the public would be limited during this time and zoning applications will take longer than normal to process and review. The Office of Housing and Community Development said it will only communicate with customers through “in-person conversations at its intake desk” and is unable to process disbursement requests.
City employees were told they could turn on their computers, printers and city-issued devices on Tuesday, March 27 — the first time since the ransomware attack. Employees are being asked to avoid using the Kronos web application to submit timesheets and instead to use manual time clocks or timesheets to document their work hours.
Employees are also being told not to try to connect to the city of Atlanta’s VPN (virtual private network). New job applications are also not being accepted during this time.
On Wednesday, March 28, the city launched a new page on its website: the Ransomware Cyberattack Information Hub. It has answers to frequently asked questions for residents and city employees.
According to a computer screenshot sent to 11Alive by a city employee, a group that cybersecurity experts have identified as SamSam, demanded 6 bitcoins in exchange, about $50,000, for decrypting the city’s data and files it was holding hostage.
The group has demanded and received ransom payments of nearly $850,000 since December 2017 from businesses, hospitals, universities and government agencies that they typically target.
Security experts said the deadline for the city of Atlanta to pay the ransom after a cyberattack shut down some of its computer networks was likely Wednesday.
But it’s not clear how the city paid or if it will pay the ransom.
Kennesaw State University cybersecurity expert Andy Green said the website for the city to communicate and share files with the hackers was deleted.
“This is new territory in that they have never shut down a portal before that we’re aware of,” Green said. “If the city’s made the decision to pay the ransom, then that communication would be happening via new channels that we’re not aware of.”
Green said usually the group provides about six days before they move on to their next target.
“We’ve got some really tough questions to ask the city of Atlanta,” Green said. “This should be a warning for other municipalities because I don’t think this will be the last attack by any stretch of the imagination.”
City of Atlanta officials said it knows who the hackers are but would not confirm the group’s name or provide details on the ransom.
According to CBS46, an internal audit found the city of Atlanta’s “IT department was on life support, and there was basically no formal plans in place to protect the city from cyber threats.”
A city auditor told CBS46 the city of Atlanta was in the early stages of implementing a security fix when the ransomware attack occurred.
Previous Cyberattack: April 2017
The founder of an Augusta-based cybersecurity firm, Jake Williams, tweeted that his firm Rendition Infosec knew of five city of Atlanta systems, including a webmail server, that were infected in April 2017.
A statement on its website said the city of Atlanta left its file-sharing client servers open to the Internet and failed to fix the issue at the time:
“The City of Atlanta was not patching its Internet facing hosts more than a month after *critical* patches were released by Microsoft. Microsoft released patches on March 14, 2017. Our scan data shows these hosts being vulnerable (and compromised by unknown attackers) on dates spanning from April 23, 2017 to May 1, 2017.”
The city of Atlanta’s servers are just a few of more than 148,000 computers that were compromised last April by hacking tools that were leaked and possibly created by the National Security Agency, called “Eternal Blue” and “Double Pulsar.”
Ransomware is not new to Atlanta. Last summer, cybersecurity experts estimate hundreds of companies in Georgia may have been impacted by the global WannaCry ransomware attack.