Cost of City of Atlanta’s cyber attack: $2.7 million — and rising

The City of Atlanta entered into emergency contracts worth $2.7 million to help restore the city’s computer network in the days following the March 22 ransomware cyber attack.

But despite hiring a stable of security consultants and crisis communications experts, some departments remain hobbled by an attack that occurred after years of warnings about vulnerabilities in the city’s system.

The $2.7 million figure does not include a contract with the law firm of Adams and Reese LLP. The city’s Law Department retained the firm to coordinate the city’s recovery efforts. The city is paying partners for firm $485 per hour and associates $300 per hour.

Nor does the figure include the lost productivity of some employees who went five days without the ability to use their computers.

By contrast, the Colorado Department of Transportation is estimated to have spent $1.5 million to get its computers back up and running after ransomware attacks in February and March.

As first reported by Channel 2 Action News, the city entered into eight contracts in the 10 days after it discovered the malware had infected its network. The contracts range in price from $50,000 to Edelman Public Relations for crisis communications to $730,000 to FyrSoft, a Microsoft partner, according to information on Department of Procurement’s website.

The city has declined to provide copies of the contracts, except for the agreement with Adams and Reese. The city argued that security concerns might make some of the other information exempt from disclosure in response to a March 30 public records request from The Atlanta Journal-Constitution.

At a press conference on Tuesday, Mayor Keisha Lance Bottoms said that residents should view the recovery phase more like a marathon than a sprint — a comparison that makes sense of how long the hacker could have hidden in the city’s network before officials discovered it.

Ransomware is malicious software that encrypts data until the infected organization pays a ransom.

Organizations often don’t learn they have been infected with ransomware until they can’t access their data or until computer messages appear demanding a ransom payment in exchange for a decryption key.

The messages include instructions on paying the ransom, usually in the form of bitcoins — a crypto currency that allows for anonymous transactions online. The city declined to say if it would pay $51,000 attackers demanded in the March attack.

“The average time an attacker is in a system before detection is 229 days,” said Ralph Echemendia, a hacking consultant who teaches corporations how to keep data safe.

The city has hired Secureworks, a Dell subsidiary, who has emerged as an early authority on the cyber-criminal group, “Gold Lowell.” That group is being blamed for a rash of cyber attacks involving a variant of SamSam, the type of ransomware that struck Atlanta.

In early 2018, about a month before the Atlanta cyber attack, Secureworks published a report titled “SamSam Ransomware Campaigns,” which noted that the recent attacks involving SamSam have been opportunistic, lucrative and impacted a wide range of organizations.

“One GOLD LOWELL campaign conducted between late-2017 and early-2018 generated at least $350,000 (USD) in revenue,” the report said.

So far the Watershed Department and Municipal Court appear to have been the most severely affected. The Watershed Department can accept payments only from people will to travel to City Hall and write out a check, according to information on the city’s website.

At the Municipal Court, the judges are conducting hearings only for defendants who had yet to be released from jail. And the court cannot accept ticket payments at this time.

In the years leading up to the attack, the city received multiple warnings about security weaknesses.

In 2010, the city’s independent auditor warned that the Information Technology Department “currently does not have funding for business continuity and disaster recovery plans.”

A follow-up audit conducted in 2014 found that city still lacked such a plan.

Another audit released in January found that the department of Atlanta Information Management and the Office of Information Security regularly identified vulnerabilities in the city’s network but not the root causes.

“In one case,” the audit said, “monthly vulnerability scan results indicated the presence of 1,500-2,000 severe vulnerabilities in the scanned population, with a history that went back over a year with no evidence of mitigation of the underlying issues.“

Reader Comments ...

Next Up in Local

Texas school district closed after threat posted on social media
Texas school district closed after threat posted on social media

Schools in a Texas school district were closed Monday because of a threat made on social media, the Houston Chronicle reported. >> Read more trending news  Officials in the Columbus Independent School District, located west of Houston, received word of a threat just before midnight, school authorities said in a message on the district&rsquo...
Argument over Bruno Mars song leads to assault, arrest
Argument over Bruno Mars song leads to assault, arrest

Blame it on his confidence. >> Read more trending news  An Indiana man was arrested for battery and criminal recklessness after a dispute over a Bruno Mars song, WXIN reported. Roger Washburn, 71, is charged with hitting a friend in the face with a pistol, the television station reported. The gun discharged during the argument but no...
Pedestrian killed in accident that shut down Ga. 400 overnight
Pedestrian killed in accident that shut down Ga. 400 overnight

Police are investigating after a 27-year-old man was hit by several vehicles Sunday while trying to walk across Ga. 400. The victim, Nolan Farrell of Brookhaven, was hit in the northbound lanes of the freeway between Spalding Drive and Northridge Road, according to Sandy Springs police. Officers responding to the accident about 9:30 p.m. found Farrell...
Publix set to open organic-focused GreenWise Market in metro Atlanta
Publix set to open organic-focused GreenWise Market in metro Atlanta

Forget the chicken tender Pub Subs and sugary iced tea. Publix has announced that it intends to open one of its new GreenWise Markets in Marietta that sells only natural foods. The new format is an extension of what shoppers know as the GreenWise section in Publix supermarkets that are about a quarter-aisle of healthier fare. There was no announced...
Clayton County Public Schools to participate in national GEAR UP week
Clayton County Public Schools to participate in national GEAR UP week

​Clayton County Public Schools, as well as members of the Gaining Early Awareness and Readiness for Undergraduate Program (GEAR UP) Clayton Cohort will participate in 2018 National GEAR UP Week through Sept. 29, according to a press release. Established in 1999, GEAR UP is a college access program that provides students and families with support...
More Stories