What We Know About The Atlanta Ransomware Attack
When a ransomware attack hit the city of Atlanta last week, the city went back in time.
With computer systems down, city employees are punching in and out with time clocks and using manual timesheets. Police officers are writing reports by hand and Atlanta’s Municipal Court has been rescheduling cases because they can’t access files.
The city of Atlanta said its Information Management team learned of a computer outage at 5:40 a.m. on March 22.
That’s when the city says it was hit by a ransomware attack that has crippled some city departments.
Hackers thought to be part of a group called SamSam got access to city data and encrypted city files. A screenshot of the ransom note shared with 11Alive said they would hand over the keys to unlock the city’s data for a ransom of six bitcoin, which was approximately $51,000 last Thursday.
Since then, Atlanta Mayor Keisha Lance Bottoms has held a series of press conferences (March 22, March 23 and March 26) about what she has called a “massive inconvenience” for the city and threat to national security.
On March 26, Sandy Springs-based cybersecurity firm SecureWorks CEO Michael Cote said his firm had completed the containment phase and part of the investigation and was helping the city of Atlanta transition to the recovery phase to restore critical systems.
On March 27, employees were told they could turn on their computers and printers again.
On March 29, city officials said it would not confirm if it paid the ransom and would no longer comment on the cyberattack, following the advice of federal partners like the FBI, Homeland Security and Secret Service.
Affected systems are slowly coming back online in the city of Atlanta. On Thursday, March 29, it announced the ATL 311 web platform would be able to process online reports of things like potholes and graffiti.
On March 30, city officials announced that water bill payments would be accepted at Atlanta City Hall and that it would not charge late fees. The city also said its Office of Revenue would extend the deadline for businesses to April 20, 2018 to pay their business license fees.
On the first day the city of Atlanta’s Chief Operating Officer Richard Cox learned of the attack, he said city officials wanted to let the public know as soon as possible. He said the attack may have impacted other agencies in Georgia.
“Security matters are ongoing and they’re impacting everyone,” Cox said. “In fact, we were advised of several agencies even here in Georgia that have been impacted. They’re really bad people that are moving quickly.”
Cox said the three departments that were not impacted by the attack were public safety, water services and Hartsfield-Jackson Atlanta International Airport.
Airport Internet Outage
Since Friday, March 23, the airport has turned off free WiFi for passengers and disabled security wait times and flight information updates on its website. Airport spokesman Reese McCranie said nearly 1,000 city of Atlanta employees working at the airport had very limited or no access to their e-mail and the internet. He said there was no timeline on when all services would be restored, but services were taken offline out of an “abundance of caution.”
Atlanta Police Department
City of Atlanta police chief Erika Shields confirmed public safety — including police, fire and 911 — was not impacted, but she said officers were issuing tickets and filing reports by hand as a precaution.
Atlanta Municipal Court
Parking tickets, reset forms and change of address forms can be paid for and completed in person at the court during normal business hours. However, all court dates are being rescheduled, and no failure-to-appear notices are being generated because of the computer outages. The Department of Corrections has been processing defendants who were arrested and taken to custody manually since Friday.
The Department of City Planning said information for the public would be limited during this time and zoning applications will take longer than normal to process and review. The Office of Housing and Community Development said it will only communicate with customers through “in-person conversations at its intake desk” and is unable to process disbursement requests.
City employees were told they could turn on their computers, printers and city-issued devices on Tuesday, March 27 — the first time since the ransomware attack. Employees are being asked to avoid using the Kronos web application to submit timesheets and instead to use manual time clocks or timesheets to document their work hours.
Employees are also being told not to try to connect to the city of Atlanta’s VPN (virtual private network). New job applications are also not being accepted during this time. (Update: On March 30, the city announced it was once again accepting job applications online.)
According to the screenshot sent to 11Alive by a city employee, a group that cybersecurity experts have identified as SamSam, demanded 6 bitcoins in exchange, about $50,000 last week, for decrypting the city’s data and files it was holding hostage.
The group has demanded and received ransom payments of nearly $850,000 since December 2017 from businesses, hospitals, universities and government agencies that they typically target.
Security experts said the deadline for the city of Atlanta to pay the ransom after a cyberattack shut down some of its computer networks was likely Wednesday.
But it’s not clear how the city paid or if it will pay the ransom.
Kennesaw State University cybersecurity expert Andy Green said the website for the city to communicate and share files with the hackers was deleted.
“This is new territory in that they have never shut down a portal before that we’re aware of,” Green said. “If the city’s made the decision to pay the ransom, then that communication would be happening via new channels that we’re not aware of.”
Green said usually the group provides about six days before they move on to their next target.
“We’ve got some really tough questions to ask the city of Atlanta,” Green said. “This should be a warning for other municipalities because I don’t think this will be the last attack by any stretch of the imagination.”
City of Atlanta officials said it knows who the hackers are but would not confirm the group’s name or provide details on the ransom.
On March 29, Atlanta City Council President Felicia Moore addressed a rumor that the attack started inside Atlanta’s legislative management system, Accela, which is used by city council staff.
“I have heard that and I am doing my due diligence to deal with staff, try to see what we know on this side,” Moore said.
But Moore said the city council still doesn’t know anything definitively.
According to CBS46, an internal audit found the city of Atlanta’s “IT department was on life support, and there was basically no formal plans in place to protect the city from cyber threats.”
A city auditor told CBS46 the city of Atlanta was in the early stages of implementing a security fix when the ransomware attack occurred.
Previous Cyberattack: April 2017
The founder of an Augusta-based cybersecurity firm, Jake Williams, tweeted that his firm Rendition Infosec knew of five city of Atlanta systems, including a webmail server, that were infected in April 2017.
A statement on its website said the city of Atlanta left its file-sharing client servers open to the Internet and failed to fix the issue at the time:
“The City of Atlanta was not patching its Internet facing hosts more than a month after *critical* patches were released by Microsoft. Microsoft released patches on March 14, 2017. Our scan data shows these hosts being vulnerable (and compromised by unknown attackers) on dates spanning from April 23, 2017 to May 1, 2017.”
The city of Atlanta’s servers are just a few of more than 148,000 computers that were compromised last April by hacking tools that were leaked and possibly created by the National Security Agency, called “Eternal Blue” and “Double Pulsar.”
Ransomware is not new to Atlanta. Last summer, cybersecurity experts estimate hundreds of companies in Georgia may have been impacted by the global WannaCry ransomware attack.