The Atlanta Journal-Constitution
Cyberattack on city cost $2.7M and rising
Some departments still hobbled by attack that hit despite warnings.
The city of Atlanta entered into emergency contracts worth $2.7 million to help restore the city’s computer network in the days after the March 22 ransomware cyber attack.
But despite hiring a stable of security consultants and crisis communications experts, some departments remain hobbled by an attack that occurred after years of warnings about vulnerabilities in the city’s system.
The $2.7 million figure does not include a contract with the law firm of Adams and Reese LLP. The city’s Law Department retained the firm to coordinate the city’s recovery efforts. The city is paying partners for the firm $485 per hour and associates $300 per hour.
Nor does the figure include the lost productivity of some
employees who went five days without the ability to use their computers.
By contrast, the Colorado Department of Transportation is estimated to have spent $1.5 million to get its computers back up and running after ransomware attacks in February and March.
As first reported by Channel 2 Action News, the city entered into eight contracts in the 10 days after it discovered the malware had infected its network. The contracts range in price from $50,000 to Edelman Public Relations for crisis communications to $730,000 to FyrSoft, a Microsoft partner, according to information on the Department of Procurement’s website.
The city has declined to provide copies of the contracts, except the agreement with Adams and Reese. The city argued that security concerns might make some of the other information exempt from disclosure in response to a March 30 public records request from The Atlanta Journal-Constitution.
At a news conference Tuesday, Mayor Keisha Lance Bottoms said that residents should view the recovery phase more like a marathon than a sprint — a comparison that makes sense of how long the hacker could have hidden in the city’s network before officials discovered it.
Ransomware is malicious software that encrypts data until the infected organization pays a ransom.
Organizations often don’t learn they have been infected with ransomware until they can’t access their data or until computer messages appear demanding a ransom payment in exchange for a decryption key.
The messages include instructions on paying the ransom, usually in the form of bitcoins — a cryptocurrency that allows anonymous transactions online. The city declined to say if it would pay $51,000 attackers demanded in the March attack.
“The average time an attacker is in a system before detection is 229 days,” said Ralph Echemendia, a hacking consultant who teaches corporations how to keep data safe.
The city has hired Secureworks, a Dell subsidiary, which has emerged as an early authority on the cybercriminal group “Gold Lowell.” That group is being blamed for a rash of cyber- attacks involving a variant of SamSam, the type of ransomware that struck Atlanta.
In early 2018, about a month before the Atlanta cyberattack, Secureworks published a report titled “SamSam Ransomware Campaigns,” which noted that the recent attacks involving SamSam have been opportunistic, lucrative and impacted a wide range of organizations.
“One GOLD LOWELL campaign conducted between late-2017 and early-2018 generated at least $350,000 (USD) in revenue,” the report said.
So far, the Watershed Department and Municipal Court appear to have been the most severely affected. The Watershed Department can accept payments only from people willing to travel to City Hall and write out a check, according to information on the city’s website.
At the Municipal Court, the judges are conducting hearings only for defendants who had yet to be released from jail. And the court cannot accept ticket payments at this time.
In the years leading up to the attack, the city received multiple warnings about security weaknesses.
In 2010, the city’s independent auditor warned that the Information Technology Department “currently does not have funding for business continuity and disaster recovery plans.”
A follow-up audit conducted in 2014 found that city still lacked such a plan.
Another audit released in January found that the department of Atlanta Information Management and the Office of Information Security regularly identified vulnerabilities in the city’s network but not the root causes.
“In one case,” the audit said, “monthly vulnerability scan results indicated the presence of 1,500-2,000 severe vulnerabilities in the scanned population, with a history that went back over a year with no evidence of mitigation of the underlying issues.”