The city learned of the attack at around 5:40 am local time on Thursday.
On Thursday, Mayor Keisha Lance Bottoms announced on Thursday that a malware has taken in hostage some internal systems, city’s data were encrypted.
— City of Atlanta, GA (@Cityofatlanta) March 22, 2018
The ransomware infection has caused the interruption of several city’s online services, including “various internal and customer-facing applications” used to pay bills or access court-related information.
It is still unclear the current extent of the infection, but security experts fear other consequences for the citizens. The mayor recommended the city’s employees and anyone who had conducted transactions with the city to monitor their bank accounts fearing a possible data breach.
“Yesterday morning, computer trouble started interfering with the normal computer operations on the Atlanta government network.” states Forbes.
“Later on, mayor Keisha Lance Bottoms called a press conference to clear the air. The source of the problem: a ransomware attack that had compromised multiple systems.”
“We don’t know the extent so we just ask that you be vigilant,” Bottoms explained in the news conference. “All of us are subject to this attack, if you will. Many of us pay our bills online, we have direct deposit, so go online and check your bank statements.”
Investigators believe that hackers initially compromised a vulnerable server, then the ransomware began spreading to desktop computers throughout the City network. Crooks demanded a payment of 6 Bitcoin, around $51,000 at the current rate,
New Atlanta Chief Operating Officer Richard Cox said that several departments have been affected.
“We don’t know the extent so we just ask that you be vigilant,” Bottoms said in a Thursday news conference. “All of us are subject to this attack, if you will. Many of us pay our bills online, we have direct deposit, so go online and check your bank statements.”
No critical infrastructure and services seem to be affected, the departments responsible for public safety, water, and airport services are operating as normal, however.
— COA Procurement (@ATLProcurement) March 23, 2018
In response to the attack, IT staff sent emails to city employees in multiple departments telling them to disconnect their computers from the network if they notice suspicious activity.
In February, the SAMSAM Ransomware hit the Colorado DOT, The Department of Transportation Agency and shuts down 2,000 computers.
According to the U.S. Department of Justice, the SAMSAM strain was used to compromise the networks of multiple U.S. victims, including 2016 attacks on healthcare facilities that were running outdated versions of the JBoss content management application.
The SamSam ransomware is an old threat, attacks were observed in 2015 and the list of victims is long, many of them belong to the healthcare industry. The attackers spread the malware by gaining access to a company’s internal networks by brute-forcing RDP connections.
Among the victims of the Samsam Ransomware there is the MedStar non-profit group that manages 10 hospitals in the Baltimore and Washington area. Crooks behind the attack on MedStar requested 45 Bitcoins (about US$18,500) for restoring the encrypted files, but the organization refused to pay the Ransom because it had a backup of the encrypted information.
In April 2016, the FBI issued a confidential urgent “Flash” message to the businesses and organizations about the Samsam Ransomware.
The FBI and Department of Homeland Security are investigating the cyberattack.
The local news channel WXIA published a screenshot of an alleged ransom message, the note demands 0.8 bitcoin (roughly $6,800) per computer or 6 bitcoin ($50,000) for keys to unlock the entire network.
The mayor confirmed that the city would seek guidance from federal authorities on how to “navigate the best course of action”.
(Security Affairs – City of Atlanta, ransomware)