Cost of City of Atlanta’s cyber attack: $2.7 million — and rising

The City of Atlanta entered into emergency contracts worth $2.7 million to help restore the city’s computer network in the days following the March 22 ransomware cyber attack.(WSB-TV)

The City of Atlanta entered into emergency contracts worth $2.7 million to help restore the city’s computer network in the days following the March 22 ransomware cyber attack.(WSB-TV)

The City of Atlanta entered into emergency contracts worth $2.7 million to help restore the city's computer network in the days following the March 22 ransomware cyber attack.

But despite hiring a stable of security consultants and crisis communications experts, some departments remain hobbled by an attack that occurred after years of warnings about vulnerabilities in the city’s system.

The $2.7 million figure does not include a contract with the law firm of Adams and Reese LLP. The city’s Law Department retained the firm to coordinate the city’s recovery efforts. The city is paying partners for firm $485 per hour and associates $300 per hour.

Nor does the figure include the lost productivity of some employees who went five days without the ability to use their computers.

By contrast, the Colorado Department of Transportation is estimated to have spent $1.5 million to get its computers back up and running after ransomware attacks in February and March.

As first reported by Channel 2 Action News, the city entered into eight contracts in the 10 days after it discovered the malware had infected its network. The contracts range in price from $50,000 to Edelman Public Relations for crisis communications to $730,000 to FyrSoft, a Microsoft partner, according to information on Department of Procurement's website.

The city has declined to provide copies of the contracts, except for the agreement with Adams and Reese. The city argued that security concerns might make some of the other information exempt from disclosure in response to a March 30 public records request from The Atlanta Journal-Constitution.

At a press conference on Tuesday, Mayor Keisha Lance Bottoms said that residents should view the recovery phase more like a marathon than a sprint — a comparison that makes sense of how long the hacker could have hidden in the city’s network before officials discovered it.

Ransomware is malicious software that encrypts data until the infected organization pays a ransom.

Organizations often don’t learn they have been infected with ransomware until they can’t access their data or until computer messages appear demanding a ransom payment in exchange for a decryption key.

The messages include instructions on paying the ransom, usually in the form of bitcoins — a crypto currency that allows for anonymous transactions online. The city declined to say if it would pay $51,000 attackers demanded in the March attack.

“The average time an attacker is in a system before detection is 229 days,” said Ralph Echemendia, a hacking consultant who teaches corporations how to keep data safe.

The city has hired Secureworks, a Dell subsidiary, who has emerged as an early authority on the cyber-criminal group, “Gold Lowell.” That group is being blamed for a rash of cyber attacks involving a variant of SamSam, the type of ransomware that struck Atlanta.

In early 2018, about a month before the Atlanta cyber attack, Secureworks published a report titled "SamSam Ransomware Campaigns," which noted that the recent attacks involving SamSam have been opportunistic, lucrative and impacted a wide range of organizations.

“One GOLD LOWELL campaign conducted between late-2017 and early-2018 generated at least $350,000 (USD) in revenue,” the report said.

So far the Watershed Department and Municipal Court appear to have been the most severely affected. The Watershed Department can accept payments only from people will to travel to City Hall and write out a check, according to information on the city’s website.

At the Municipal Court, the judges are conducting hearings only for defendants who had yet to be released from jail. And the court cannot accept ticket payments at this time.

In the years leading up to the attack, the city received multiple warnings about security weaknesses.

In 2010, the city’s independent auditor warned that the Information Technology Department “currently does not have funding for business continuity and disaster recovery plans.”

A follow-up audit conducted in 2014 found that city still lacked such a plan.

Another audit released in January found that the department of Atlanta Information Management and the Office of Information Security regularly identified vulnerabilities in the city’s network but not the root causes.

“In one case,” the audit said, “monthly vulnerability scan results indicated the presence of 1,500-2,000 severe vulnerabilities in the scanned population, with a history that went back over a year with no evidence of mitigation of the underlying issues.“


Here’s a look at how malware and ransomware work and what people can do if they fall victim to attacks.

What is malware and ransomware?

Malware is a general term that refers to software that’s harmful to your computer, said John Villasenor, a professor at the University of California, Los Angeles. Ransomware is a type of malware that essentially takes over a computer and prevents users from accessing data on the computer until a ransom is paid, he said.

How do computers become infected with ransomware?

In most cases, the software infects computers through links or attachments in malicious messages known as phishing emails.

“The age-old advice is to never click on a link in an email,”said Jerome Segura, a senior malware intelligence researcher at Malwarebytes, a San Jose-based company that has released anti-ransomware software. “The idea is to try to trick the victim into running a malicious piece of code.”

The software is usually hidden within links or attachments in emails. Once the user clicks on the link or opens the document, their computer is infected and the software takes over.

But how does it work?

“Ransomware, like the name suggests, is when your files are held for ransom,” said Peter Reiher, an adjunct professor at UCLA who specializes in computer science and cybersecurity. “It finds all of your files and encrypts them and then leaves you a message. If you want to decrypt them, you have to pay.”

The ransomware encrypts data on the computer using an encryption key that only the attacker knows. If the ransom isn’t paid, the data is often lost forever.

When the ransomware takes over a computer, the attackers are pretty explicit in their demands, Segura said. In most cases, they change the wallpaper of the computer and give specific instructions telling the user how to pay to recover their files. Law enforcement officials have discouraged people from paying these ransoms.

How can it be prevented?

The first step is being cautious, experts say. But Villasenor said there is “no perfect solution” to the problem.

Associated Press

Atlanta gets hacked

Previously: On March 22, the city's computer system was the target of a ransomware attack.

Currently: The city has entered into emergency contracts worth $2.7 million to fix the problem.

What's next? City officials are working to get computers back up and running.