So far, Atlanta's ransomware costs top $2.6 million
- By Susan Miller
- Apr 24, 2018
Atlanta has spent $2.6 million recovering from a ransomware attack that demanded a roughly $51,000 payment.
The March 22 attack encrypted data across computers in Atlanta's city government offices, affecting which affected various internal and customer facing applications, including those in the Police Department, Watershed Management, Procurement, City Planning, Public Works, Human Resources, ATL311, the Municipal Courts, Correction and Parks and Recreation.
Atlanta's procurement website showed that, as of April 24, the city's Information Management Agency, the Municipal Courts and the Department of Law had paid $2.6 million to eight vendors. SecureWorks received $650,000 for emergency incident response services; the city paid $730,000 to Fyrsoft for Microsoft cloud, Active Directory and Windows 10 support; and $600,000 went to Ernst and Young for advisory services related to cyber incident response.
And while a $2.6 million bill is enough to make any CIO queasy, it's not an exorbitant amount, according to Chris Duvall, senior director of the Chertoff Group, which specializes in risk management. The city probably had to pay not just for remediation, but also insurance claims, privacy monitoring and missed services, he told Wired. Overtime, crisis communications, legal consulting and lost productivity will have added to the bill.
The ransom was never paid, Atlanta city spokesperson Michael Smith confirmed to ZDNet in an email. Had it paid the ransom, it would like never have discovered how the attackers got in and moved through agency networks, a chief information security officer told the news site.
That stand will likely help the city bolster its overall cybersecurity posture, and the remediation costs will likely move cybersecurity -- including zero-trust policies, segmented networks, ongoing maintenance, secure storage and patch management -- to the top of the agenda in future city business meetings.
"The ROI is clear, consider the costs and material loss of your company going down for a day, versus shifting priorities to give your engineers more time to manage patches properly," Yonathan Klijnsma, a threat researcher with a digital threat management firm RiskIQ, said after the attack. "It’s not a good time to roll the dice.”
As bad as the attack was, the city's cloud-first strategy may have mitigated some of its effects, interim CIO Daphne Rackley said in a press conference shortly after the attack. She said the city had been migrating some of its major systems to the cloud to increase their security.
But even cloud-based systems need backup. Organizations that "leverage cloud services without backup are especially vulnerable, since they often replace redundant infrastructure, portals or data storage," said John Hodges, VP of product strategy at software vendor AvePoint.
"This underscores the need to understand the data you hold to avoid redundant storage," Hodges said. "Keeping the business going is now a matter of rollback (loss of a small amount of work), or a minor inconvenience (redirecting to a new system) and not a catastrophic loss of access, as it was in this case."
Susan Miller is executive editor at GCN.
Over a career spent in tech media, Miller has worked in editorial, print production and online, starting on the copy desk at IDG’s ComputerWorld, moving to print production for Federal Computer Week and later helping launch websites and email newsletter delivery for FCW. After a turn at Virginia’s Center for Innovative Technology, where she worked to promote technology-based economic development, she rejoined what was to become 1105 Media in 2004, eventually managing content and production for all the company's government-focused websites. Miller shifted back to editorial in 2012, when she began working with GCN.
Miller has a BA and MA from West Chester University and did Ph.D. work in English at the University of Delaware.
Connect with Susan at firstname.lastname@example.org or @sjaymiller.