Atlanta mayor Keisha Bottoms said on Thursday, March 22, that hackers attacked the city’s network system and encrypted data. The details are somewhat slim for now, but hackers reportedly used the SamSam ransomware and demand around $51,000 in Bitcoin to unlock the city’s seized computers. Atlanta is currently working with the Department of Homeland Security, the FBI, Microsoft, and Cisco cybersecurity officials to determine the scope of the damage and regain control of the data held hostage.
“Our Atlanta Information Management team is working diligently with support from Microsoft to resolve the issue,” the city’s official Twitter account states. “We are confident that our team of technology professionals will be able to restore applications soon. Our city website, Atlantaga.gov, remains accessible and we will provide updates as we receive them.”
As of Thursday afternoon, the city said it faced outages on various “internal and customer facing applications,” such as means for accessing court-related information and paying bills. But the city itself isn’t exactly under siege: Airport, public safety, and water operations remain unaffected by the attack, and the city payroll wasn’t touched. The only bone Atlanta is throwing the public is that the attack affects “various city systems.”
According to Atlanta’s newly appointed chief operating officer, Richard Cox, Atlanta Information Management officials were made aware of problems with internal and customer-facing applications at 5:40 a.m. Thursday. At the time, he acknowledged that the city fell prey to ransomware, but given the investigation is still ongoing, he couldn’t provide the extent of the damage.
“The ongoing investigation will determine whether personal information, financial, or employee data has been compromised,” he said during a press briefing. “As a precaution, we are asking that all employees take the appropriate measures to ensure their data is not compromised. The city advises employees to monitor and protect personal information and in the coming days we will offer employees additional resources if needed.”
What the city didn’t officially disclose was the ransomware note discovered in the investigation. A screenshot reveals the hackers’ demands: 0.8 Bitcoins for each seized computer, or six bitcoins to unlock all computers held hostage, equaling to around $51,000 in real cash. Once Atlanta sends the Bitcoins to a digital wallet, the city is to leave a message containing the host name on a specific website. The hackers will then provide decryption software to release the computers from captivity.
The SamSam malware doesn’t take the typical route of installing itself on computers when unsuspecting owners click a link within an email. Instead, hackers find unpatched vulnerabilities in network servers and manually unleash SamSam to seize key data systems and cause maximum damage to the company’s infrastructure.
SamSam is one of many in a family of ransomware targeting government and healthcare organizations. It was first observed in 2015 and encrypts various file types using the Advanced Encryption Standard (aka Rijndael). It then encrypts that key with RSA 2048-bit encryption to make the files utterly unrecoverable.
As of Friday morning, Atlanta’s main website and its affiliated portals remained unaffected by the ransomware attack.