Cost of City of Atlanta’s cyber attack: $2.7 million — and rising

The City of Atlanta entered into emergency contracts worth $2.7 million to help restore the city’s computer network in the days following the March 22 ransomware cyber attack.

But despite hiring a stable of security consultants and crisis communications experts, some departments remain hobbled by an attack that occurred after years of warnings about vulnerabilities in the city’s system.

The $2.7 million figure does not include a contract with the law firm of Adams and Reese LLP. The city’s Law Department retained the firm to coordinate the city’s recovery efforts. The city is paying partners for firm $485 per hour and associates $300 per hour.

Nor does the figure include the lost productivity of some employees who went five days without the ability to use their computers.

By contrast, the Colorado Department of Transportation is estimated to have spent $1.5 million to get its computers back up and running after ransomware attacks in February and March.

As first reported by Channel 2 Action News, the city entered into eight contracts in the 10 days after it discovered the malware had infected its network. The contracts range in price from $50,000 to Edelman Public Relations for crisis communications to $730,000 to FyrSoft, a Microsoft partner, according to information on Department of Procurement’s website.

The city has declined to provide copies of the contracts, except for the agreement with Adams and Reese. The city argued that security concerns might make some of the other information exempt from disclosure in response to a March 30 public records request from The Atlanta Journal-Constitution.

At a press conference on Tuesday, Mayor Keisha Lance Bottoms said that residents should view the recovery phase more like a marathon than a sprint — a comparison that makes sense of how long the hacker could have hidden in the city’s network before officials discovered it.

Ransomware is malicious software that encrypts data until the infected organization pays a ransom.

Organizations often don’t learn they have been infected with ransomware until they can’t access their data or until computer messages appear demanding a ransom payment in exchange for a decryption key.

The messages include instructions on paying the ransom, usually in the form of bitcoins — a crypto currency that allows for anonymous transactions online. The city declined to say if it would pay $51,000 attackers demanded in the March attack.

“The average time an attacker is in a system before detection is 229 days,” said Ralph Echemendia, a hacking consultant who teaches corporations how to keep data safe.

The city has hired Secureworks, a Dell subsidiary, who has emerged as an early authority on the cyber-criminal group, “Gold Lowell.” That group is being blamed for a rash of cyber attacks involving a variant of SamSam, the type of ransomware that struck Atlanta.

In early 2018, about a month before the Atlanta cyber attack, Secureworks published a report titled “SamSam Ransomware Campaigns,” which noted that the recent attacks involving SamSam have been opportunistic, lucrative and impacted a wide range of organizations.

“One GOLD LOWELL campaign conducted between late-2017 and early-2018 generated at least $350,000 (USD) in revenue,” the report said.

So far the Watershed Department and Municipal Court appear to have been the most severely affected. The Watershed Department can accept payments only from people will to travel to City Hall and write out a check, according to information on the city’s website.

At the Municipal Court, the judges are conducting hearings only for defendants who had yet to be released from jail. And the court cannot accept ticket payments at this time.

In the years leading up to the attack, the city received multiple warnings about security weaknesses.

In 2010, the city’s independent auditor warned that the Information Technology Department “currently does not have funding for business continuity and disaster recovery plans.”

A follow-up audit conducted in 2014 found that city still lacked such a plan.

Another audit released in January found that the department of Atlanta Information Management and the Office of Information Security regularly identified vulnerabilities in the city’s network but not the root causes.

“In one case,” the audit said, “monthly vulnerability scan results indicated the presence of 1,500-2,000 severe vulnerabilities in the scanned population, with a history that went back over a year with no evidence of mitigation of the underlying issues.“

Reader Comments ...

Next Up in Local

At least 11 dead in duck boat accident on Table Rock Lake in Branson, Missouri, sheriff says
At least 11 dead in duck boat accident on Table Rock Lake in Branson, Missouri, sheriff says

At least 11 people have been confirmed dead in a duck boat accident on Table Rock Lake in Branson, Missouri,  according to Sheriff Doug Radar with the Stone County Sheriff’s Office. At least five people are still unaccounted for, KY3 reported. >> Read more trending news  As many as 13 people were injured and transported to...
WATCH: Atlanta police officer punches, brawls with suspect during arrest
WATCH: Atlanta police officer punches, brawls with suspect during arrest

Atlanta police are investigating after an officer was seen on video throwing a punch at and brawling with a suspect during a drug arrest in southwest Atlanta earlier this month.  The three-minute video shows suspect Harold Barnwell resisting arrest before the officer punched, tasered and arrested him. Atlanta police released the cellphone video...
Police: Man uses forklift to tear through fence, steal car in Covington
Police: Man uses forklift to tear through fence, steal car in Covington

A man got away with a stolen car in Covington Tuesday night, and the thief used an unusual method to escape: a forklift. Covington police are searching for the  man who hopped on a forklift and used it to break through a metal fence at Ginn Chevrolet, Channel 2 Action News reported. “First time that I can recall where somebody used a forklift...
Sketch released of armed man with gold teeth accused of raping girl
Sketch released of armed man with gold teeth accused of raping girl

Authorities have released a sketch of an armed man accused of sexually assaulting a 16-year-old girl who was walking home in northwest Atlanta. The alleged assault occurred July 10 in the 3000 block of Martin Luther King Jr. Drive, Atlanta police said. Officers responded to Children's Healthcare of Atlanta at Hughes Spalding, Atlanta about the alleged...
FRIDAY’S WEATHER-TRAFFIC: Rain chances dip before stormy weekend 
FRIDAY’S WEATHER-TRAFFIC: Rain chances dip before stormy weekend 

Friday: High: 90 Friday night: Low: 88 Saturday: High: 73 Stormy weather is on its way to the entire eastern United States, but Friday will be the last day of refuge before these thunderstorms hit, Channel 2 Action News Chief meteorologist Glenn Burns said. Friday has a mere 20 percent chance of rain, and Burns said metro Atlanta will...
More Stories