Attack on Atlanta’s computer system impacting services

Employees at Atlanta City Hall were handed instructions as they come through the front doors to not turn on computers or log on to their workstations on Friday March 23, 2018. JOHN SPINK/JSPINK@AJC.COM
caption arrowCaption
Employees at Atlanta City Hall were handed instructions as they come through the front doors to not turn on computers or log on to their workstations on Friday March 23, 2018. JOHN SPINK/JSPINK@AJC.COM

Atlanta’s newly elected mayor on Friday predicted that the city would continue to experience a “massive inconvenience” in the aftermath of a ransomware cyber attack that prevented city employees from using their computers and prompted discussions about a costly rebuild of the city’s entire computer network.

“But it is not a matter of life or death,” said Mayor Keisha Lance Bottoms at a press conference Friday afternoon at City Hall.

Officials said they are not able to provide details about where the attack began, the amount of data that might be affected, or whether they were considering paying a $50,000 ransom requested by the hacker.

“We are deeply into active investigation, incident management mode,” said Daphne Rackley, the city’s interim chief information officer. “What that means is that we are not ready to share any definitive statements, because … the data and the information changes on a regular basis.”

Bottoms said that city officials hadn't found any evidence that sensitive employee or public data had been compromised in the Thursday attack. Still she urged employees and residents to monitor their accounts and credit activity.

The attack did cause some disruptions to city services and to employees.

On Friday, workers were handed instructions as they came through the front doors to not turn on computers or log on to their workstations.

Residents coming to Atlanta City Hall to pay bills were turned away Friday. Corrections officers processed inmates manually. And the City Council was making plans take voice votes and work off of paper at meetings next week.

The city’s municipal court could not process ticket payments in person or online or validate warrants.

Richard Cox, Atlanta’s interim chief operating officer, said the city would not issue failure to appear warrants for cases scheduled to be heard during the outages.

The city’s emergency management systems, along with Hartsfield-Jackson Atlanta International Airport systems, had not been impacted although the airport had shut down its wifi.

“I tried to connect,” said traveler Kate Clough, who lives in Sugar Hill and just landed at Hartsfield-Jackson on Friday after a business trip to Philadelphia. “I assumed I would be able to e-mail all the work I did on the plane once I landed, but now I have to wait an hour until I get to Sugar Hill.”

The business of attacks

Bojan Simic, founder of the Bitcoin Security Project and Chief Technology of the New York City based of HYPR Corp., said that ransomware attacks have gone from targeting individuals to large corporations and government bodies where much more is stake.

Simic said ransomware attacks have their own business model. Information is frequently de-crypted once payment is made to ensure others will also pay. Ransom amounts are based on the value and amount of compromised data.

The $50,000 figure in Atlanta’s case surprised him, Simic said, adding that it indicated that the information that the city could no longer access was valuable.

“This amount is a little bit concerning to me,” Simic said. “They probably did some cursory investigation of the data and of the system that they have hacked and saw that they probably do not have backup data, so they can charge more money.”

The city declined to provide any details about the nature of the data the attack jeopardized.

William “Chip” Collins, Jr. of the law firm Burr & Forman LLP’s Atlanta office, said that under state law the city must notify people once it believes their data may have been breached or it could face potential legal claims.

The city obtained a cyber attack insurance policy in advance of the attack.

But the city’s Chief Financial Officer Jim Beard declined to disclose the costs of the deductible or policy limits, saying that it might encourage future attacks.

Post 1 At Large Councilman Michael Julian Bond said that he was “pretty confident” that the situation would be resolved “in a few days.”

He also said this successful hack may encourage other attacks.

“As daunting as the city of Atlanta’s apparatus may seem, we’re still limited by the amount of resources we have to defend our systems,” Bond said. “So we’re going to have to make is as much of a priority as it has already been, and we’re going to have to increase it.”

Time to upgrade?

Stacey S. Farrell, of the Farrell Law Firm, said municipalities are often vulnerable to cyber attacks because of their outdated hardware.

Farrell said cities often resist investing in their computer networks but use third party applications to satisfy customer demands. Those outdated systems were often never intended to use modern day applications, she said.

While she couldn’t speak specifically about the city’s network, Farrell said it would be “more unusual for the city to have modern, state of the art [systems] than what we typically see.”

Bottoms seemed to acknowledge as much when she compared the city’s network to a decade-old pickup she drove until it was wrecked.

“It was an opportunity to upgrade and make some improvements, and that’s the way I have charged our team to look at this situation,” Bottoms said.

When the mayor heard that some council members wanted to completely rebuild the city’s computer network despite significant costs, she said: “I thank them in advance for that approval.”

Reporters Kelly Yamanouchi and Tyler Estep contributed to this article


Here’s a look at how malware and ransomware work and what people can do if they fall victim to attacks.

What is malware and ransomware? 

Malware is a general term that refers to software that’s harmful to your computer, said John Villasenor, a professor at the University of California, Los Angeles. Ransomware is a type of malware that essentially takes over a computer and prevents users from accessing data on the computer until a ransom is paid, he said.

How do computers become infected with ransomware?

In most cases, the software infects computers through links or attachments in malicious messages known as phishing emails.

“The age-old advice is to never click on a link in an email,” said Jerome Segura, a senior malware intelligence researcher at Malwarebytes, a San Jose-based company that has released anti-ransomware software. “The idea is to try to trick the victim into running a malicious piece of code.”

The software is usually hidden within links or attachments in emails. Once the user clicks on the link or opens the document, their computer is infected and the software takes over.

But how does it work?

“Ransomware, like the name suggests, is when your files are held for ransom,” said Peter Reiher, an adjunct professor at UCLA who specializes in computer science and cybersecurity. “It finds all of your files and encrypts them and then leaves you a message. If you want to decrypt them, you have to pay.”

The ransomware encrypts data on the computer using an encryption key that only the attacker knows. If the ransom isn’t paid, the data is often lost forever.

When the ransomware takes over a computer, the attackers are pretty explicit in their demands, Segura said. In most cases, they change the wallpaper of the computer and give specific instructions telling the user how to pay to recover their files. Law enforcement officials have discouraged people from paying these ransoms.

How can it be prevented?

The first step is being cautious, experts say. But Villasenor said there is “no perfect solution” to the problem.

Associated Press

The AJC surveyed other metro Atlanta governments and agencies to see if officials were taking additional measures to protect computer systems or were impacted by the Atlanta hack.

Cobb County: County employees have been instructed to not open any emails from the City of Atlanta.

Alpharetta: The city's security systems and protocols have been successful in defeating attempts to reach any personal data or sensitive systems or attempts to ransom our data or systems.

DeKalb County: Government operations and residents are not impacted by the cyberattack on the city of Atlanta.

Gwinnett County: The county has not had any incidents that resulted in the exposure of customer or employee data or the interruption of county services.

Marietta: While the city has never had such an attack, all employees have been warned to be careful while browsing and downloading.

Sandy Springs: We have seen a limited number of intrusion attempts over the past few years.