Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Disaster Recovery

Atlanta Says Further $9.5 Million Needed for Ransomware Recovery

Atlanta Ransomware Attack Was Far More Serious Than Originally Thought and Even Wiped Out the Police Dash-cam Recordings Archive

Atlanta Ransomware Attack Was Far More Serious Than Originally Thought and Even Wiped Out the Police Dash-cam Recordings Archive

The City of Atlanta was struck by SamSam ransomware in March 2018. The ransom was set at $51,000 (in Bitcoin); but is believed not to have been paid. At that time, it was thought that some customer-facing applications and some internal services had been disrupted; but that no critical services had been affected.

One month later, it was reported that the cost of recovery from the attack had already reached nearly $3 million, and the city had not yet fully recovered.

Exactly what happened at Atlanta will not be known — if it ever is — until the work of the forensic investigators is complete. It is known, however, that the SamSam actors typically target their victims, gain access to the infrastructure, and interfere with processes before encrypting files. Hancock Health was hit by SamSam in January 2018. It paid the ransom, but a few days later, CEO Steve Long reported, “Though the electronic medical record backup files had not been touched, the core components of the backup files from all other systems had been purposefully and permanently corrupted by the hackers.”

On Wednesday this week, Atlanta information management head Daphne Rackley told the City Council that the Atlanta ransomware attack was far more serious than originally thought. More than one-third of the 424 software programs used by the city remain off-line or at least partially disabled — and almost 30% of those are considered ‘critical’.

City attorney Nina Hickson, for example, said her office had lost more than 70 of its 77 computers and ten years of legal documents. Police Chief Erika Shields told local television news station WSB-TV 2 that the hack irretrievably wiped out the police dash-cam recordings archive.

The Atlanta City Council is preparing to vote on the fiscal budget 2019, and must do so by the end of the month. It has now been told by Rackley that her department is likely to require an additional $9.5 million over the coming year because of the ransomware.

The Atlanta incident is a wake-up call that highlights the ransom quandary. Paying the ransom feeds the criminal activity, puts a target on the victim’s back for other criminals, and does not guarantee receipt of decryption keys. Not paying, however, will inevitably lead to recovery costs that could, for the unprepared, be extreme.

Advertisement. Scroll to continue reading.

Atlanta seems to have been particularly unprepared. “I think that the true problem is not ransomware,” comments Ilia Kolochenko, CEO of High-Tech Bridge. “The problem is unreliable, overcomplicated and insecure-by-design IT architecture. Segregation of duties, data and network access control, proper segmentation, daily backup, desktop hardening, anomaly detection — are, de facto, a must-have in any modern company or governmental entity. Apparently, none were in place.”

Effective disaster recovery and back-up systems can be particularly effective against extortion attacks. “Being able to easily and quickly recover data, like the dash-cam footage, from mere seconds before it was lost or disrupted can save an organization time, money and many other types of damage,” says Gijsbert Janssen Van Doorn, technology evangelist at Zerto.

The Barnstable Police Department is a case in point. The small town Police Department on Massachusetts’ Cape Cod was hit by ransomware in 2016 — but an effective disaster recovery system meant the ransomware was mitigated and eradicated with a maximum downtime of less than 40 minutes, and no more than 2 minutes of lost data.

“Atlanta is now just another case study on what best practices need to be in place to protect an organization’s CyberPosture,” comments Mukul Kumar, CISO and VP of cyber practice at Cavirin. “They’re already talking about direct costs in the tens of millions, but the indirect costs and other impacts are potentially much greater.” The cost of prevention is inevitably less than the cost of cure.

Atlanta also demonstrates a dangerous escalation. A city is not merely an organization, it is part of the critical infrastructure. “The reality is that these are more lucrative targets than credit cards and people’s identities when you look at it from an attacker perspective,” warns Rishi Bhargava, co-founder at Demisto. “Attacks on cities, and our infrastructure, are like terrorist attacks and cities and governments will be willing to pay.” He believes they must not.

The terrorist analogy is not lost on Kolochenko. This attack, he suggests, was “likely driven by a trivial itch for gain, but what would the outcome be if the attackers were a nation-state group? They can cause tremendous damage to the city, its infrastructure and citizens. I think the IT companies responsible for maintenance of the Atlanta critical IT infrastructure can be liable for negligence. Someone should be accountable for this.”

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...