Atlanta’s network almost recovered from cyber attack, cost still unknown

The City of Atlanta’s computer network has nearly recovered from a ransomware cyber attack suffered nearly two months ago, said Chief Operating Officer Richard Cox in an Friday interview with The Atlanta Journal-Constitution and Channel 2 Action News.

Cox said the municipal court is the only department whose computers haven’t been brought back online.

“We are in testing right now,” Cox said, adding that he expects them to be operational in about 10 days.

Cox said the total cost of the attack has yet to be calculated. But emergency contracts posted on the city’s procurement website have a combined not-to-exceed amount of about $5 million.

“If you dig into those numbers a lot of those expenses are inevitably things we were going to have to invest in regardless,” Cox said.

On March 22, city employees were ordered to turn off their computers to stop a virus from spreading through the network and encrypting data. A cyber criminal group demanded that the city pay it about $51,000 in bitcoins — a crypto currency that allows for anonymous transactions online.

The city refused to pay the ransom on the advice of federal agents.

“We were advised, at some point during the attack, this particular threat actor had hit places after the ransom was paid,” Cox said.

Following the attack, the city hired Secureworks, a Dell subsidiary, who has emerged as an early authority on the cyber-criminal group, “Gold Lowell.” That group is being blamed for a rash of cyber attacks involving a variant of SamSam, the type of ransomware that struck Atlanta.

In early 2018, about a month before the Atlanta cyber attack, Secureworks published a report titled “SamSam Ransomware Campaigns,” which noted that the recent attacks involving SamSam have been opportunistic, lucrative and impacted a wide range of organizations.

Cox said on Friday it was too soon to say if any data or other records had been permanently lost.

“We are still in the process of going through files to understand the status,” he said. “That process will continue to take quite a while.”

The city provided a copy of its cyber attack insurance policy to the AJC this week in response to a public records request, but redacted the coverage limits, citing security concerns.

Cyber attack insurance policies are an uncharted area of the market, and security experts have warned that the risks associated with them are difficult to calculate. The policies contain a number of exclusions and require meeting basic security standards.

Asked if he expected an insurance payout, Cox said: “We are having ongoing conversations with our cyber insurance vendor … Our expectation is that we will be able to partner with them in a very fair manner.”