lolloj - Fotolia

Five days after Atlanta ransomware attack, recovery begins

After battling the fallout from an Atlanta ransomware attack for five days, Mayor Keisha Bottoms said City Hall has finally begun to recover and turn systems back on.

Atlanta's City Hall has given the all-clear for workers to turn systems back on following a ransomware attack that caused issues with certain scheduling and procurement processes.

The Atlanta ransomware attack began in the morning on March 22, and the FBI, Department of Homeland Security, Microsoft and Cisco were brought in early on to investigate and help the city remediate the issues. The city of Atlanta Twitter account said the government was "experiencing outages on various customer-facing applications, including some that customers may use to pay bills or access court-related information."

Various Twitter updates that followed asserted no customer or employee data had been compromised in the Atlanta ransomware attack, and the city's major infrastructure was not affected. But certain systems, such as ticket payment and applications for water service, were unavailable.

In a public statement dated March 27, the Atlanta mayor's office said the recovery process had begun.

"Today, the City of Atlanta is advising its employees to turn on computers and printers for the first time since the March 22 cyberattack," wrote Anne Torres, director of the Mayor's Office of Communications, and Nikki Forman, press secretary for the city, in the statement. "It is expected that some computers will operate as usual and employees will return to normal use. It is also expected that some computers may be affected or affected [sic] in some way and employees will continue using manual or alternative processes. This is part of the City's ongoing assessment as part of the restoration and recovery process."

Response to the Atlanta ransomware attack

According to Andrew Green, a Kennesaw State University professor who analyzed a screenshot of the ransomware sent to Atlanta NBC affiliate WXIA-TV, the malware used in the Atlanta ransomware attack was in the SamSam family, and the threat actors behind the attack were asking for .8 bitcoin per affected system, or 6 bitcoin -- more than $50,000 as of the time of the attack -- for a package decryption deal.

It is still unclear if the city paid the ransom, but Atlanta Mayor Keisha Lance Bottoms described the ransomware as a "hostage situation" in a press conference about the incident on Monday. Bottoms declined to comment on whether the vulnerability that was exploited to initiate the attack had been patched.

Michael Cote, CEO at Secureworks, based in Atlanta, said in the press conference that his company had been brought in to aid in the investigation and had identified the threat actor behind the Atlanta ransomware attack. Cote did not comment on how the attackers gained access to city systems.

Atlanta City Hall
Atlanta's City Hall was hit with ransomware, and after five days of work, the recovery process has formally begun.

City of Atlanta security

Rendition Infosec LLC based in Augusta, Ga., released a report showing the city of Atlanta had poor infosec practices, but did not comment on the recent ransomware attack directly.

According to Rendition research, at least five systems in the Atlanta government were compromised in April 2017 by an attack that used the EternalBlue exploit and Doublepulsar malware, although Rendition said their research "is very likely incomplete," because Doublepulsar disappears after a system reboot.

"This scan data conclusively shows that the city of Atlanta was not patching its internet facing hosts more than a month after critical patches were released by Microsoft. Microsoft released patches on March 14, 2017," Rendition wrote in a blog post. "Our scan data shows these hosts being vulnerable (and compromised by unknown attackers) on dates spanning from April 23, 2017 to May 1, 2017. After doing some searching for statements from the city or Atlanta, we can't find any indication that they were aware of this compromise at all."

Jake Williams, founder and CEO of Rendition Infosec, wrote on Twitter the research undermines the city of Atlanta's claims that it takes cybersecurity seriously.

Bob Rudis, chief data scientist for Rapid7, based in Boston, told SearchSecurity that as city governments become more connected, incidents like the Atlanta ransomware attack will be more common, because municipalities are "rich targets" for attackers.

The problem is that government systems have to be accessible to the public.
Maureen GrayCOO at Blue Ridge Networks

"Beyond financial account information and general personally identifiable information, city-related systems and networks can and do contain court and criminal records, tax records, nonpublic information on police and other protective services employees, department activities [and] plans and more," Rudis wrote via email. "Much of this is extremely sensitive data and would be [a] treasure trove of information, capable of being used in a diverse array of disruptive, targeted attacks against both individuals and entire departments."

Maureen Gray, COO at Blue Ridge Networks, a cybersecurity company headquartered in Chantilly, Va., said "the problem is that government systems have to be accessible to the public."

"Government and the private sector simply can't rely on intrusion detection, attack signatures and patch management approaches to cybersecurity anymore. That approach invites the sort of reactive 'fire drill' mentality we're seeing now," Gray told SearchSecurity. "Government must take a more proactive approach to cybersecurity by enacting a zero-trust stance. This assumes everything on their systems [is] already compromised and blocks unacceptable actions."

Next Steps

One data protection expert's ransomware recovery experience

Dig Deeper on Security operations and management

Enterprise Desktop
Cloud Computing