March 23, 2018 Atlanta: Employees at Atlanta City Hall were handed instructions as they come through the front doors to not turn on computers or log on to their workstations on Friday March 23, 2018. Friday's action comes as city officials are struggling to determine how much sensitive information may have been compromised in a Thursday cyber attack. The city has also received demands that it pay a ransom of an unspecified amount, officials confirmed. But officials had yet to make a determination if it would pay the ransom. Hartsfield-Jackson International took down the wi-fi at the world's busiest airport after a cyber attack on the city. The Atlanta airport's website said after the cyber attack that security wait times and flight information may not be accurate. JOHN SPINK/JSPINK@AJC.COM

Atlanta’s network almost recovered from cyber attack, cost still unknown

The City of Atlanta’s computer network has nearly recovered from a ransomware cyber attack suffered nearly two months ago, said Chief Operating Officer Richard Cox in an Friday interview with The Atlanta Journal-Constitution and Channel 2 Action News.

Cox said the municipal court is the only department whose computers haven’t been brought back online.

“We are in testing right now,” Cox said, adding that he expects them to be operational in about 10 days.

Cox said the total cost of the attack has yet to be calculated. But emergency contracts posted on the city’s procurement website have a combined not-to-exceed amount of about $5 million.

“If you dig into those numbers a lot of those expenses are inevitably things we were going to have to invest in regardless,” Cox said.

On March 22, city employees were ordered to turn off their computers to stop a virus from spreading through the network and encrypting data. A cyber criminal group demanded that the city pay it about $51,000 in bitcoins — a crypto currency that allows for anonymous transactions online.

The city refused to pay the ransom on the advice of federal agents.

“We were advised, at some point during the attack, this particular threat actor had hit places after the ransom was paid,” Cox said.

Following the attack, the city hired Secureworks, a Dell subsidiary, who has emerged as an early authority on the cyber-criminal group, “Gold Lowell.” That group is being blamed for a rash of cyber attacks involving a variant of SamSam, the type of ransomware that struck Atlanta.

In early 2018, about a month before the Atlanta cyber attack, Secureworks published a report titled “SamSam Ransomware Campaigns,” which noted that the recent attacks involving SamSam have been opportunistic, lucrative and impacted a wide range of organizations.

Cox said on Friday it was too soon to say if any data or other records had been permanently lost.

“We are still in the process of going through files to understand the status,” he said. “That process will continue to take quite a while.”

The city provided a copy of its cyber attack insurance policy to the AJC this week in response to a public records request, but redacted the coverage limits, citing security concerns.

Cyber attack insurance policies are an uncharted area of the market, and security experts have warned that the risks associated with them are difficult to calculate. The policies contain a number of exclusions and require meeting basic security standards.

Asked if he expected an insurance payout, Cox said: “We are having ongoing conversations with our cyber insurance vendor … Our expectation is that we will be able to partner with them in a very fair manner.”

Support real journalism. Support local journalism. Subscribe to The Atlanta Journal-Constitution today. See offers.

Your subscription to the Atlanta Journal-Constitution funds in-depth reporting and investigations that keep you informed. Thank you for supporting real journalism.