The city was hit by the notorious SamSam ransomware, which exploits a deserialization vulnerability in Java-based servers. The ransom was set at around $55,000 worth of bitcoin, a digital cryptocurrency that in recent weeks has wildy fluctated in price.
But it’s understood that the ransom was never paid — because the portal used to pay the ransom (even if the city wanted to) was pulled offline by the ransomware attacker.
Between March 22 and April 2, the city spent $2,667,328 in incident response, recovery, and crisis management. (Hat tip to Ryan Naraine for tweeting out the link.)
Among the costs, Atlanta spent $650,000 on hiring local security firm Secureworks for emergency incident repsonse services, and an additional $600,000 on advisory services from Ernst & Young for cyber incident response.
The city also spent $50,000 to hire Edelman, a public relations firm specializing in crisis response management — in other words, trying to make things look less bad than they actually are.
It’s not known if additional, unreported costs were involved in the ransomware clean-up.
When reached, a spokesperson for the city did not immediately respond to several questions we had. If that changes, we’ll update.
Last month we reported that Atlanta narrowly missed out falling victim to another cyberattack in 2016, when the now-infamous WannaCry ransomware attack spread across the globe.
Speaking to ZDNet at the time, Jake Williams, founder of cybersecurity firm Rendition Infosec, said that the city’s networks were left unpatched for weeks — making them vulnerable to ransomware attacks.
He found that at least five internet-facing city servers were infected with the NSA-developed DoublePulsar backdoor in late April to early May 2017. That was more than a month after Microsoft released critical patches for the exploits and urged users to install.
Based on his data, he said that the city “had a substandard security posture” at the time.