Atlanta Says Further $9.5 Million Needed for Ransomware Recovery


The City of Atlanta was struck by SamSam ransomware in March 2018. The ransom was set at $51,000 (in Bitcoin); but is believed not to have been paid. At that time, it was thought that some customer-facing applications and some internal services had been disrupted; but that no critical services had been affected.

One month later, it was reported that the cost of recovery from the attack had already reached nearly $3 million, and the city had not yet fully recovered.

Exactly what happened at Atlanta will not be known -- if it ever is -- until the work of the forensic investigators is complete. It is known, however, that the SamSam actors typically target their victims, gain access to the infrastructure, and interfere with processes before encrypting files. Hancock Health was hit by SamSam in January 2018. It paid the ransom, but a few days later, CEO Steve Long reported, "Though the electronic medical record backup files had not been touched, the core components of the backup files from all other systems had been purposefully and permanently corrupted by the hackers."

On Wednesday this week, Atlanta information management head Daphne Rackley told the City Council that the Atlanta ransomware attack was far more serious than originally thought. More than one-third of the 424 software programs used by the city remain off-line or at least partially disabled -- and almost 30% of those are considered 'critical'.

City attorney Nina Hickson, for example, said her office had lost more than 70 of its 77 computers and ten years of legal documents. Police Chief Erika Shields told local television news station WSB-TV 2 that the hack irretrievably wiped out the police dash-cam recordings archive.

The Atlanta City Council is preparing to vote on the fiscal budget 2019, and must do so by the end of the month. It has now been told by Rackley that her department is likely to require an additional $9.5 million over the coming year because of the ransomware.

The Atlanta incident is a wake-up call that highlights the ransom quandary. Paying the ransom feeds the criminal activity, puts a target on the victim's back for other criminals, and does not guarantee receipt of decryption keys. Not paying, however, will inevitably lead to recovery costs that could, for the unprepared, be extreme.

Atlanta seems to have been particularly unprepared. "I think that the true problem is not ransomware," comments Ilia Kolochenko, CEO of High-Tech Bridge. "The problem is unreliable, overcomplicated and insecure-by-design IT architecture. Segregation of duties, data and network access control, proper segmentation, daily backup, desktop hardening, anomaly detection -- are, de facto, a must-have in any modern company or governmental entity. Apparently, none were in place."

Effective disaster recovery and back-up systems can be particularly effective against extortion attacks. "Being able to easily and quickly recover data, like the dash-cam footage, from mere seconds before it was lost or disrupted can save an organization time, money and many other types of damage," says Gijsbert Janssen Van Doorn, technology evangelist at Zerto.

The Barnstable Police Department is a case in point. The small town Police Department on Massachusetts' Cape Cod was hit by ransomware in 2016 -- but an effective disaster recovery system meant the ransomware was mitigated and eradicated with a maximum downtime of less than 40 minutes, and no more than 2 minutes of lost data.

"Atlanta is now just another case study on what best practices need to be in place to protect an organization's CyberPosture," comments Mukul Kumar, CISO and VP of cyber practice at Cavirin. "They're already talking about direct costs in the tens of millions, but the indirect costs and other impacts are potentially much greater." The cost of prevention is inevitably less than the cost of cure.

Atlanta also demonstrates a dangerous escalation. A city is not merely an organization, it is part of the critical infrastructure. "The reality is that these are more lucrative targets than credit cards and people's identities when you look at it from an attacker perspective," warns Rishi Bhargava, co-founder at Demisto. "Attacks on cities, and our infrastructure, are like terrorist attacks and cities and governments will be willing to pay." He believes they must not.

The terrorist analogy is not lost on Kolochenko. This attack, he suggests, was "likely driven by a trivial itch for gain, but what would the outcome be if the attackers were a nation-state group? They can cause tremendous damage to the city, its infrastructure and citizens. I think the IT companies responsible for maintenance of the Atlanta critical IT infrastructure can be liable for negligence. Someone should be accountable for this."