Why us? 6 months after ransomware attack Atlanta has no answers
It's possible a vulnerability was found during a random scan and a hacker said, "we got a live one here," according to a security advisor.
A cyberattack is as unapologetic as it is invasive. In Atlanta's case, a March ransomware attack also included a level of irony in that file names on city computers were altered to include "weapologize" and "imsorry."
The wake of the hack was so severe it pushed back confirmation of the city's budget for 2019 and required city council employees to work off of a "single clunky personal laptop."
City and local governments are strained by their budgets because of pressure to allocate funds to more constituent-facing projects. Atlanta, like any other local government, sometimes has to choose between dedicating money to new city computers or, say, public schools.
This is an issue the private sector doesn't directly feel. Though "sometimes you think greater good goes to helping constituents," said Chris Duvall, senior director at security and risk management firm Chertoff Group, in an interview with CIO Dive, there still needs to be a risk trade-off.
The Georgia capital's technological infrastructure was left in an encrypted mess and the whole incident may have been born from just a "target of opportunity," said Duvall.
SamSam hits again?
Experts believe the hacker group SamSam was behind Atlanta's ransomware attack. Hacker groups like SamSam tend to work in a businesslike structure where every hacker sits on a different level of hierarchy.
Across the hierarchy tiers, some hackers are responsible for scanning random IP ranges to find potential vulnerabilities or sifting through the found vulnerabilities for ones worth pursuing, according to Duvall.
The process continues until the remaining vulnerabilities are passed to the "real group" where they'll go in, "live off the land," exploit the vulnerability and do recon on the afflicted system, he said.
There's no way of knowing why Atlanta was targeted. However, it's completely possible the city had a vulnerability found during a random scan and someone said "we got a live one here," according to Duvall.
Randomized attacks are escalating and the thought of a city becoming victim to chance opportunity is a sobering reality.
SamSam didn't just go after Georgia at the start of the year.
Colorado was hit back-to-back in 2018. In February, computers owned by the Colorado Department of Transportation were locked by ransomware, according to local reports. The attack in Colorado has added up to about $1.5 million in recovery.
However, about a week later, the ransomware struck again and employees had work on paper, not computers. Similar to Atlanta, the hackers asked for their ransom in bitcoin from a new variant of a SamSam ransomware.
Employees of Colorado's transportation department were required to conduct business "the old-fashioned way," a spokesperson for the state's Office of Information Technology said.
What was lost
Imagine being one month into the job and being hit with a calamitous ransomware attack. That's what it felt like to be Atlanta's interim CIO Daphne Rackley.
It was revealed about 35% of the city's 424 software programs were taken "offline or partially offline" by the attack, according to Rackley during a public meeting with city council members on June 6.
Forty-nine of the impacted applications were considered "mission critical," and the extent of the attack seemed "to be growing every day," said Rackley at the time.
Initially, the Department of Atlanta Information Management (AIM) thought there were about 22 mission critical applications but found more "because [there] are a lot of interdependencies," she said. The implicated applications had a direct impact on services for police and courts.
Some of the applications requiring a rebuild have vendors who need to take part in the process, which requires paying for their services. Other applications can be built internally by AIM.
Decades of digital records and data, including some police dash cam footage, is considered lost forever. "There is nothing a city government can do to offset these losses," Pravin Kothari, CEO of CipherCloud, told CIO Dive.
Outages were reported across departments the day of the attack, leaving Atlanta Mayor Keisha Lance Bottoms and COO Richard Cox uncertain of the attack's scope. At the very least, the government expected an overhaul of its technical infrastructure, which began with regaining fully operational servers.
"Once an attack is launched, it will access and encrypt shared data," Brian Vecci, technical evangelist at Varonis, told CIO Dive. The data that's often accessed is open and unmonitored.
The hackers' ransom demanded $6,800 worth of bitcoin per unit, the equivalent of about $51,000. The city opted not to pay, but in just the first month of recovery, Atlanta spent nearly $3 million, according to the city's Department of Procurement.
The cost of cyberattacks are continuous when replacement, rebuild and third party partnerships need to be accounted for. But disaster recovery can often annihilate budgets. Recovery costs are mounting but it will "take time and considerable funding, most of it unbudgeted," said Kothari.
In the budget meeting in June, Rackley said her department needed an additional $9.5 million, though the department only saw an addition of about $3.5 million in the adopted budget. The adopted budget for FY19 is about $38 million for AIM, a 10% increase from the adopted budget for FY18 and the proposed budget for FY19, according to public records.
The final budget was approved on June 18 and cited upgrades for Atlanta's IT security and infrastructure. Actual expenditures will be seen next year.
Where does Atlanta go from here
Rackley said the city will have to rebuild applications in "our current reinforced environment" because of constraints made by time, money and quality in security.
"Procuring equipment is one hurdle and to 'rip and replace' is another issue altogether," said Vecci. Government agencies have to respond to these types of incidents finding a "contracting vehicle they can execute this kind of order on."
It's easier to rebuild an application as long as it's not "homegrown," said Duvall. However, it's really the data behind the applications that are important, which is why organizations need to be aware of attackers targeting keys to the backup.
"It's kind of a chess game," said Duvall. Organizations want to perform regular backups, but now backups are insufficient. To avoid becoming the unsuspecting and random victim of ransomware, the adoption of protective measures around the backup is non negotiable.
Follow Samantha Ann Schwartz on Twitter