Ransomware Attack Cripples Several Atlanta City Systems

Phishing Campaign Delivers Nasty Ransomware, Credential-Theft Two-Punch

The city of Atlanta is being extorted for $51,000 in a ransomware attack that occurred early Thursday that impacted several local government departments.

UPDATE – Atlanta Mayor Keisha Lance Bottoms said during a Monday press conference that the emergency response team continues to “work around the clock” to address an ongoing ransomware attack on the city’s systems that first started Thursday.

Many services are still unavailable four days after the attack first hit on Thursday, including online water bill payments. Bottoms said that the city is now working with Atlanta-based cybersecurity firm Secureworks to correct the computer issues.

Secureworks CEO Michael Cote said during the press conference the company has completed the early phases of the incident response investigation and is moving to start restoring Atlanta systems impacted by the attack. He also said Secureworks knows who is behind the attack.

Bottoms said Atlanta’s public services department and airport continue to operate despite the ongoing attack: “This is about making sure the city of Atlanta continues to function to the best of our ability,” she said.

When asked about how the system was first attacked, Bottoms didn’t offer details around specific vulnerabilities: “We certainly are looking at the entire system. We have some thoughts about what our vulnerabilities are but really right now our focus is what we need to do moving forward,” she said.

“We’ve had this [security] conversation at a national level,” said Bottoms. “It really speaks to the fact that as much as we focus on physical infrastructure, we need to focus on the security of our digital infrastructure…. This is new territory for us, but we are a resilient city.”

The city of Atlanta is currently being targeted in a ransomware attack impacting several of its departments and crippling government websites that process payments and relay court information.

The attack first hit on Thursday morning, according to the City of Atlanta. In an email to Threatpost, an Atlanta government spokesperson said that there are no updates to share as of Friday morning.

The city, which is the ninth-largest metro area in the U.S.,  said on its Twitter account Thursday that it is facing outages on various internal and external customer-related applications, “including some that customers may use to pay bills or access court-related information.”

Atlanta Chief Operating Officer, Richard Cox said in a press conference Thursday evening that Atlanta is working with the Federal Bureau of Investigation and the Department of Homeland Security, as well as Microsoft and Cisco’s security emergency response teams, to address the attack.

Atlanta said that at this time several departments were affected by the attack. However, the Atlanta Public Safety department, airport, and water services operation “are operating without incident.” In addition, payroll for city employees won’t be impacted by the attack.

According to reports by CBS46, the attack included a ransom note that demanded 6 bitcoins for all computers (or $51,000 based on today’s valuation) in exchange for keys to decrypt systems.

In the press conference, Cox confirmed that the city received a written demand related to the attack, but did not confirm the contents of the demand. There was also no specification around how the attack was first launched.

Atlanta is still investigating whether personal, financial or employee data has been compromised. “As a precaution, we are asking that all employees take the appropriate measures to ensure their data is not compromised. The city advises to monitor or protect personal information,” said Cox.

According to a report by Atlanta local news site AJC, a note from the Atlanta information management team told City Hall employees not to use their computers unless previously cleared.

In the press conference, Atlanta’s mayor, Keisha Lance Bottoms, wouldn’t specify whether Atlanta would pay the ransom.

Atlanta is only the most recent victim of ransomware attacks. In May 2017, a massive scale ransomware attack, WannaCry, paralyzed systems across various markets – including England’s health care system and one of Honda’s Japanese plants.

Rob Tate, security researcher at WhiteHat Security, told Threatpost that he predicts more ransomware attacks on government utilities in the coming year, especially as each year ransomware attacks have been launched on more publicly visible victims – like hospitals and local governments.

“One thing that strikes me about this incident is that it’s not too different than attacks we’ve seen before,” he said. “In some cases, and seemingly in a case like this, the attacker did their homework, and would pick a number that they know the victim can afford to pay.”

Suggested articles