This content is part of the Essential Guide: Recovering from ransomware: Defend your data with best practices

Atlanta ransomware attack cost city more than $5 million

The bill for remediating the Atlanta ransomware attack that took some government systems offline in March was released, and totals more than $5 million and counting.

The city of Atlanta detailed the overall costs to remediate issues resulting from a ransomware attack that occurred in March and harden security for the future, and the bill adds up to more than $5 million.

The Atlanta ransomware attack occurred on March 22 and shut down several of the city's departments, though police, fire and emergency services departments were not affected. The city government notably didn't give workers the OK to turn systems back on until five days after the ransomware attack occurred.

The city government emergency procurements website details the ongoing costs to recover from the Atlanta ransomware attack. News outlets first began covering these costs on April 23, and at that time the total costs were just over $2.3 million, but since then the city of Atlanta has paid another seven contracts, including one to Microsoft for "Cybersecurity Network Architects Staff Augmentation" for more than $1.3 million.

Other costs include $650,000 to Secureworks for "emergency incident response services," $730,000 to Fyrsoft, a Microsoft managed partner specializing in cloud and data center work, and $600,000 to the Ernst & Young law firm for cyber incident response "advisory services."

Currently, the total costs listed on the procurements website are more than $5 million. As of this post the official city website dedicated to providing updates on the attack still includes this answer to the question of how long it will take to fix the issues from the attack:

"Our cross-functional incident response team is looking into this matter and working around-the-clock. It would be inappropriate to speculate on when this matter will be fixed, but we are committed to resolution."

Incident response vs. recovery

At the time of the Atlanta ransomware attack, the threat actors had demanded a ransom of .8 bitcoin per affected system, or 6 bitcoin -- more than $50,000 at the time. The city made no indication it planned to pay that ransom, but such a payment likely would have been impossible after the attackers closed the bitcoin wallet after the address was leaked to a news outlet.

Experts frequently advise routine backups of systems as the best way to be prepared for an attack like the Atlanta ransomware incident, and John Hodges, vice president of product strategy at AvePoint said the detailed costs prove how expensive it can be to recover from an attack if an organization is unprepared.

Keeping the business going is now a matter of rollback ... or a minor inconvenience ... and not a catastrophic loss of access, as it was in this case.
John Hodgesvice president of product strategy, AvePoint

"Customers who leverage cloud services without backup are especially vulnerable, since they often replace redundant infrastructure, portals or data storage. This underscores the need to understand the data you hold to avoid redundant storage," Hodges told SearchSecurity via email. "Keeping the business going is now a matter of rollback (loss of a small amount of work), or a minor inconvenience (redirecting to a new system) and not a catastrophic loss of access, as it was in this case."

The emergency procurement costs detailed by the city of Atlanta show the government is taking steps to ensure its incident response and security is stronger going forward. The latest contract at the time of this post was for more than $200,000 to install multifactor authentication, and two older contracts went to ForeScout products designed to increase visibility and security of perimeter devices. 

Secureworks has attributed the attack to the Gold Lowell group using SamSam ransomware, which Secureworks said "is typically deployed after the threat actors exploit known vulnerabilities on perimeter systems to gain access to a victim's network."

Dig Deeper on Security operations and management

Enterprise Desktop
Cloud Computing