Atlanta government ransomware attack

Atlanta government ransomware attack
Date	March 22, 2018
Location	Atlanta, Georgia, United States
Type	Cyberattack
Theme	Ransomware encrypting files with $51,000 demand (via Bitcoin)
Cause	SamSam Ransomware; ;
Outcome	Multiple municipal services down, including databases and wi-fi; Years' worth of data destroyed; City spends $2.7 million in recovering services

The city of Atlanta, Georgia was the subject of a ransomware attack which began in March 2018.^[2] The city recognized the attack on Thursday, March 22, 2018,^[1]^[3] and publicly acknowledged it was a ransomware attack.

Due to Atlanta's national importance as a transportation and economic hub, the attack received wide attention^[4] and was notable for both the extent and duration of the service outages caused. Many city services and programs were affected by the attack, including utility, parking, and court services.^[5] City officials were forced to complete paper forms by hand.^[6]

On November 26, a grand jury indicted two Iranian hackers, Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri, for the attack. The Department of Justice alleged that Savandi and Mansouri are part of the SamSam group; that the SamSam group is based out of Iran; and that the pair created SamSam Ransomware, the malware used in the attack. There are no affiliations with the government of Iran.^[7]

Approach and attack

Leading up to the attack, the Atlanta government was criticized for a lack of spending on upgrading its IT infrastructure, leaving multiple vulnerabilities open to attack. In fact, a January 2018 audit found 1,500 to 2,000 vulnerabilities in the city's systems, and suggested that the number of vulnerabilities had grown so large that workers grew complacent.^[8] The virus used to attack the city was the SamSam Ransomware, which differs from other ransomware in that it does not rely on phishing, but rather utilizes a brute-force attack to guess weak passwords until a match is found. It is known to target weaker IT infrastructures and servers.^[9] The ransomware has prominently been behind attacks on medical and government organizations since its discovery in 2016, with previous attacks on targets ranging from small towns such as Farmington, New Mexico to the Colorado Department of Transportation and the Erie County Medical Center. It can also bypass antivirus software.^[10] Despite no suspects being identified or indicted until November 2018, the SamSam hackers were described as "opportunistic".^[11]

On March 22, at 5:40 AM, the Department of Atlanta Information Management first learned of outages on various internal and customer applications “including some applications customers use to pay bills or access court related information,” according to Richard Cox, the city's interim Chief of Operations. Soon afterward, the city shut down many of its digital services in an attempt to control the situation, including its court system database and the wi-fi at Hartsfield–Jackson Atlanta International Airport. The city eventually identified it as a ransomware attack.^[3]^[1]

Aftermath and recovery efforts

This hack was notable as it was the largest successful breach of security for a major American city by ransomware, potentially affecting up to 6 million people.^[9]^[12] Following the attack, the city of Atlanta cooperated with the FBI, Department of Homeland Security, and Secret Service and hired security firms such as SecureWorks to investigate, and many government computers were advised to stay powered off until 5 days later.^[6]

Though the city declared that there was little to no evidence that personal data had been compromised, later studies show that the breach was worse than originally estimated. In June 2018, it was estimated that a third of the software programs used by the city remained offline or partially disabled.^[13] In addition, many legal documents and police dashcam video files were permanently deleted, though the police department was able to restore access to all its investigation files.^[14] For a while, residents were forced to pay their bills and forms by paper.^[6]

In response to this hack, Atlanta devoted $2.7 million to contractors in order to recover, but later estimated it would need $9.5 million.^[13]

On November 26, 2018, the Department of Justice indicted two Iranian hackers for the attack, charging that Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri were part of the SamSam group and created SamSam Ransomware.^[7]

References

^ a b c "Atlanta, GA : Ransomware Cyberattack Information". www.atlantaga.gov. Archived from the original on July 18, 2018. Retrieved March 28, 2018.
^ Brumback, Kate (March 23, 2018). "Atlanta city computer network remains hobbled by cyberattack". AP News. Retrieved August 8, 2023.
^ a b Deere, Stephen (March 23, 2018). "Atlanta officials warn cyber attack may compromise sensitive data". The Atlanta Journal-Constitution. ISSN 1539-7459. Retrieved August 8, 2023.
^ Blinder, Alan; Perlroth, Nicole (March 27, 2018). "A Cyberattack Hobbles Atlanta, and Security Experts Shudder". The New York Times. Archived from the original on January 11, 2022.
^ Kearney, Laila (March 23, 2018). Maler, Sandra (ed.). "Atlanta ransomware attack throws city services into disarray". Reuters.
^ a b c Hutcherson, Kimberly (March 27, 2018). "Six days after a ransomware cyberattack, Atlanta officials are filling out forms by hand". CNN.
^ a b Perlroth, Nicole; Benner, Katie (November 28, 2018). "Iranians Accused in Cyberattacks, Including One That Hobbled Atlanta". The New York Times. Archived from the original on January 14, 2022. Retrieved November 30, 2018.
^ "ISO/IEC 27001 ISMS Precertification Audit". City Auditor's Office. January 2018.
^ a b Freed, Benjamin (April 24, 2018). "Atlanta was not prepared to respond to a ransomware attack". StateScoop. Retrieved July 18, 2018.
^ Crowe, Jonathan (March 2018). "City of Atlanta Hit with SamSam Ransomware: 5 Key Things to Know". Barkly vs Malware. Barkly Protects, Inc. Archived from the original on July 18, 2018. Retrieved July 18, 2018.
^ "SamSam ransomware attacks have earned nearly $850,000". CSO Online. IDG. March 23, 2018. Retrieved July 18, 2018.
^ Poon, Linda (March 30, 2018). "Why Are Cities So Vulnerable to Cyber Attack?". Citylab.com. Retrieved July 18, 2018.
^ a b Kearney, Laila (June 6, 2018). Adler, Leslie (ed.). "Atlanta officials reveal worsening effects of cyber attack". Reuters. Retrieved July 18, 2018.
^ Vaas, Lisa (June 8, 2018). "Atlanta ransomware attack destroyed years of police dashcam video". Naked Security. Sophos.

[AtlAck-1] "Atlanta, GA : Ransomware Cyberattack Information". www.atlantaga.gov. Archived from the original on July 18, 2018. Retrieved March 28, 2018.

[2] Brumback, Kate (March 23, 2018). "Atlanta city computer network remains hobbled by cyberattack". AP News. Retrieved August 8, 2023.

[myajc-3] Deere, Stephen (March 23, 2018). "Atlanta officials warn cyber attack may compromise sensitive data". The Atlanta Journal-Constitution. ISSN 1539-7459. Retrieved August 8, 2023.

[4] Blinder, Alan; Perlroth, Nicole (March 27, 2018). "A Cyberattack Hobbles Atlanta, and Security Experts Shudder". The New York Times. Archived from the original on January 11, 2022.

[5] Kearney, Laila (March 23, 2018). Maler, Sandra (ed.). "Atlanta ransomware attack throws city services into disarray". Reuters.

[CNN-6] Hutcherson, Kimberly (March 27, 2018). "Six days after a ransomware cyberattack, Atlanta officials are filling out forms by hand". CNN.

[nytnov18-7] Perlroth, Nicole; Benner, Katie (November 28, 2018). "Iranians Accused in Cyberattacks, Including One That Hobbled Atlanta". The New York Times. Archived from the original on January 14, 2022. Retrieved November 30, 2018.

[8] "ISO/IEC 27001 ISMS Precertification Audit". City Auditor's Office. January 2018.

[unprepared-9] Freed, Benjamin (April 24, 2018). "Atlanta was not prepared to respond to a ransomware attack". StateScoop. Retrieved July 18, 2018.

[10] Crowe, Jonathan (March 2018). "City of Atlanta Hit with SamSam Ransomware: 5 Key Things to Know". Barkly vs Malware. Barkly Protects, Inc. Archived from the original on July 18, 2018. Retrieved July 18, 2018.

[11] "SamSam ransomware attacks have earned nearly $850,000". CSO Online. IDG. March 23, 2018. Retrieved July 18, 2018.

[12] Poon, Linda (March 30, 2018). "Why Are Cities So Vulnerable to Cyber Attack?". Citylab.com. Retrieved July 18, 2018.

[Reuters1-13] Kearney, Laila (June 6, 2018). Adler, Leslie (ed.). "Atlanta officials reveal worsening effects of cyber attack". Reuters. Retrieved July 18, 2018.

[14] Vaas, Lisa (June 8, 2018). "Atlanta ransomware attack destroyed years of police dashcam video". Naked Security. Sophos.

v t e History of Atlanta
Origins	Standing Peachtree
Buildings	Historic districts Buildings listed on National Register: (Atlanta in Fulton Co.) (Atlanta in DeKalb Co.) Demolished buildings Demolished public housing projects
Civil War	Atlanta Campaign Atlanta in the Civil War Battle of Atlanta Battle of Ezra Church Battle of Jonesborough Battle of Kennesaw Mountain Battle of Peachtree Creek Battle of Utoy Creek Burning of Atlanta Stone Mountain
Crime	Race massacre (1906) Ripper (1911) Leo Frank lynching (1915) Temple bombing (1958) Peyton Road affair (1962–1963) Child murders (1979–1981) Prison riots (1987) Centennial Olympic Park bombing (1996) Otherside Lounge bombing (1997) Day trading firm shootings (1999) Shooting of Kathryn Johnston (2006) Public schools cheating scandal (2009–2015) Shooting of Scout Schultz (2017) Ransomware attack (2018) Killing of Rayshard Brooks (2020) Spa shootings (2021) Northside Hospital shooting (2023)
Culture	Opera in Atlanta Arts in Atlanta
Disasters	Great Atlanta Fire (1917) Winecoff Hotel fire (1946) Air France Flight 007 crash (1962) Bluffton University bus crash (2007) Tornado strikes downtown (2008) Interstate 85 bridge collapse (2017)
Events	Timeline International Cotton Exposition (1881) Piedmont Exposition (1887) Cotton States and International Exposition (1895) Gone with the Wind premiere (1939) Funeral of Martin Luther King Jr. (1968) Atlanta International Pop Festival (1969, 1970) Democratic National Convention (1988) Super Bowl XXVIII (1994) World Series (1991, 1992, 1995, 1996, 1999, 2021) Summer Olympics (1996) WrestleMania XXVII (2011) Super Bowl LIII (2019)
Labor	Washerwomen strike (1881) Fulton Bag and Cotton Mills strike (1914–1915) Streetcar strike (1916) Transit strike (1950) Scripto strike (1964–1965) Sanitation strike (1977) Sanitation strike (2018) School bus drivers' strike (2018)
LGBT	Library perversion case (1953) Lonesome Cowboys police raid (1969) Atlanta Pride (1971) Atlanta Eagle police raid (2009)
People	Mayors Pioneers History of Hispanics in Atlanta History of African Americans in Atlanta Demographic history Gentrification Racial segregation History of the Jews in Atlanta
Places	History by neighborhood Former neighborhoods and settlements Annexations and city wards Street names History of Georgia Tech Historic mills Zero Mile Post
Protests	Atlanta sit-ins (1960-1961) Freeway revolts Occupy Atlanta (2011–2012) George Floyd protests (2020) Stop Cop City (2021–present)
Transportation	Atlanta Transit Company (1950) Historic bridges Historic ferries Streetcars MARTA (1972) Western and Atlantic Railroad (1836) Trolleybuses Viaducts
History of Atlanta Timeline of Atlanta history

Date	March 22, 2018^[1]
Location	Atlanta, Georgia, United States
Type	Cyberattack
Theme	Ransomware encrypting files with $51,000 demand (via Bitcoin)
Cause	SamSam Ransomware
Outcome	Multiple municipal services down, including databases and wi-fi Years' worth of data destroyed City spends $2.7 million in recovering services