Atlanta projected to spend at least $2.6 million on ransomware recovery

The ransom was never paid, the city confirms. The payment portal was pulled offline by the attacker.
Written by Zack Whittaker, Contributor

The city of Atlanta, Georgia. (Image: file photo)

Atlanta is setting aside more than $2.6 million on recovery efforts stemming from a ransomware attack, which crippled a sizable part of the city's online services.

The city was hit by the notorious SamSam ransomware, which exploits a deserialization vulnerability in Java-based servers. The ransom was set at around $55,000 worth of bitcoin, a digital cryptocurrency that in recent weeks has wildy fluctated in price.

But the ransom was never paid, said Atlanta city spokesperson Michael Smith confirmed in an email. Between the ransomware attack and the deadline to pay, the payment portal was pulled offline by the ransomware attacker.

According to newly published emergency procurement figures, the city is projected to spend as much as 50 times that amount in response to the cyberattack.

Between March 22 and April 2, the city budgeted $2,667,328 in incident response, recovery, and crisis management. (Hat tip to Ryan Naraine for tweeting out the link.)

According to the spokesperson, the amount is a "current projected total" that is not to be exceeded, but does not mean that the full figure will be spent.

Among the costs, Atlanta earmarked $650,000 on hiring local security firm Secureworks for emergency incident response services, and an additional $600,000 on advisory services from Ernst & Young for cyber incident response.

The city also set aside $50,000 to hire Edelman, a public relations firm specializing in crisis response management -- in other words, trying to make things look less bad than they actually are.

It's not known if additional, unreported costs were involved in the ransomware clean-up.

When reached, a spokesperson for the city did not immediately respond to several questions we had. If that changes, we'll update.

Last month we reported that Atlanta narrowly missed out falling victim to another cyberattack in 2016, when the now-infamous WannaCry ransomware attack spread across the globe.

Speaking to ZDNet at the time, Jake Williams, founder of cybersecurity firm Rendition Infosec, said that the city's networks were left unpatched for weeks -- making them vulnerable to ransomware attacks.

He found that at least five internet-facing city servers were infected with the NSA-developed DoublePulsar backdoor in late April to early May 2017. That was more than a month after Microsoft released critical patches for the exploits and urged users to install.

Based on his data, he said that the city "had a substandard security posture" at the time.

Clarification: an earlier version of this article said Atlanta had spent the emergency procurements funds it was awarded. We reached out prior to publication, but a spokesperson said Tuesday that the figures were projections, and not what had already been spent.

Editorial standards