Time is running out for the city of Atlanta, which was given until Wednesday to pay off the cyberattackers who laid siege to city government data and are threatening to wipe the computers clean.
But, as Georgia Public Broadcasting’s Emily Cureton reported for NPR, even if officials authorized the six-bitcoin ransom payment — currently worth about $51,000 — to lift the wall of encryption paralyzing a number of city services, it’s not clear whether there is anywhere to send the money.
The payment portal set up by the hijackers for the infected systems, which included a countdown clock, was disabled days before the deadline after a local TV news station tweeted out an unredacted ransom note it obtained from a city employee. It contained a link to a bitcoin wallet leading directly to a group known for using SamSam ransomware.
It didn’t take long for people to begin bombarding the hackers with questions about the attack via the exposed portal, risk management company CSO reported. Initially, the hackers demanded more money before they would respond to those inquiries and later scrapped the entire contact form, saying they were taking it down because of too much spam.
While it’s possible other portals exist, city officials have not confirmed that is the case. Nor have they confirmed the identity of the hackers.
Still, the SamSam group is known for choosing targets with weak security and high incentives to regain control of their information and therefore are very likely to pay. Since December 2017, it has collected nearly $850,000 in ransoms from victims in health care, education and government, according to CSO. Last month, the city of Leeds, Ala., paid ransomware hackers $12,000 to release data in a similar attack.
Researchers working for Talos, a company that is investigating SamSam, say this is the first time the group “has publicly deleted or deactivated a portal prior to the seven-day clock expiring. While it’s possible they’ve taken such actions before, reports of those incidents haven’t been shared publicly.”
An audit of Atlanta’s information technology department shows the city was warned this could happen months ago, Cureton told NPR.
“The audit found a significant level of preventable risk to the city. The auditor writes there were long-standing issues, which city employees got used to and also didn’t have the time or resources to fix. The audit concludes Atlanta had no formal processes to manage risk to its information systems.”
And a Georgia-based cybersecurity firm called Rendition Infosec on Tuesday tweeted that it had uncovered data showing a handful of city computers came under attack last year.
“We dug into our data and perhaps unsurprisingly, at least 5 of their machines were compromised in April 2017,” the company’s owner, Jake Williams, wrote.
The malware in Atlanta has crippled several city online services. The municipal court can’t see cases. Residents can’t pay bills online. And police officers are writing reports and booking inmates by hand.
So far, the cyberattack has not impacted police and fire emergency-response systems, water supply safety or airport safety.
Atlanta Mayor Keisha Lance Bottoms told reporters at a press conference Monday that the city hasn’t decided whether it will make the payment.
“Everything is up for discussion,” she said.
“We are a resilient city, and we will get on the other side of this,” Bottoms added. “This is bigger than a ransomware attack; it’s an attack on government and therefore an attack on all of us.”
Bottoms also announced the creation of a response team to help resolve the crisis, including the federal Department of Homeland Security, the FBI and the Secret Service. Independent forensics experts and researchers from Georgia Tech are also lending a hand in the investigation.
In the seven days since the city’s data was taken hostage, some city employees are back online and able to use email. Others are still using pen and paper. The municipal court system has been turning people away all week.