On March 22, city employees were ordered to turn off their computers to stop a virus from spreading through the network and encrypting data. A cyber criminal group demanded that the city pay it about $51,000 in bitcoins — a crypto currency that allows for anonymous transactions online.
The city refused to pay the ransom on the advice of federal agents.
“We were advised, at some point during the attack, this particular threat actor had hit places after the ransom was paid,” Cox said.
Following the attack, the city hired Secureworks, a Dell subsidiary, who has emerged as an early authority on the cyber-criminal group, “Gold Lowell.” That group is being blamed for a rash of cyber attacks involving a variant of SamSam, the type of ransomware that struck Atlanta.
In early 2018, about a month before the Atlanta cyber attack, Secureworks published a report titled “SamSam Ransomware Campaigns,” which noted that the recent attacks involving SamSam have been opportunistic, lucrative and impacted a wide range of organizations.
Cox said on Friday it was too soon to say if any data or other records had been permanently lost.
“We are still in the process of going through files to understand the status,” he said. “That process will continue to take quite a while.”
The city provided a copy of its cyber attack insurance policy to the AJC this week in response to a public records request, but redacted the coverage limits, citing security concerns.
Cyber attack insurance policies are an uncharted area of the market, and security experts have warned that the risks associated with them are difficult to calculate. The policies contain a number of exclusions and require meeting basic security standards.
Asked if he expected an insurance payout, Cox said: “We are having ongoing conversations with our cyber insurance vendor … Our expectation is that we will be able to partner with them in a very fair manner.”