Editor's note: This article has been updated to reflect new information, following a city press conference.
The city of Atlanta watched multiple online Web pages and services stop working on March 22 in a ransomware attack that began during the early morning hours and generated a response from two federal law enforcement agencies and two technology companies.
The Department of Atlanta Information Management (AIM) was made aware around 5:40 a.m. Eastern Daylight Time that “various internal and customer-facing applications” had been compromised, Atlanta’s new Chief Operating Officer Richard Cox said during a late-afternoon press conference.
The federal Department of Homeland Security, the FBI, and incident response teams from Microsoft and Cisco are working with the city and AIM to resolve the issues, Cox said.
“However, we are still evaluating the extent of the compromises,” he said.
Mayor Keisha Lance Bottoms urged residents who have done business with the city online to be cautious and monitor their personal data, including their bank accounts. But, contrary to some previously published reports, officials said the city payroll was unaffected and staffers are expected to be paid on schedule.
In a statement via Twitter, the city had earlier characterized the attack as “outages on various customer-facing applications, including some that customers may use to pay bills or access court-related information,” and said it would post updates as they become available.
Public safety, water and airport operations remain unaffected, officials said during the press conference. And while some court-related services may be unavailable, courts are expected to be open on March 23. It remains unclear when affected services will be restored.
An Atlanta Police Department representative said at the press conference that the city’s 911 system and its emergency response remain unaffected, but that out of an abundance of caution, police officers are temporarily filing incident reports on paper.
Asked whether the city would meet any demands, officials declined to comment and said they would look to federal agencies for guidance in this area.
Kennesaw State University Professor Andrew Green, who lectures on information security and assurance, told Government Technology he reviewed screengrabs of information that Atlanta NBC affiliate WXIA-TV reported it obtained from “a city employee.”
Based on that review, Green said it’s likely this attack is based on a virus from the Samas or SAMSAM family, which dates at least to 2015 and, like typical ransomware, encrypts portions of a disc.
Asked how deliberate the attack on Atlanta may have been, Green said: “At this point in time, I don’t think there’s any way to know that, at least publicly. Typically ransomware attacks in general are targets of opportunity.”
Given the number of agencies involved, however, and the extent of the city’s response — including holding a multi-departmental press conference late in the business day — Green said the attack is likely significant. Based also on information provided to him by WXIA, Green said he was able to determine the extent of the demand placed on the city.
Green said the demand was .8 bitcoins per individual system or device, or 6 bitcoins for a mass encryption key. Based on exchange rates on the morning of March 22, the professor said the latter demand equated to roughly $50,000 — but, he noted, current wisdom is to not pay the ransom.
“Current guidance is that you don’t pay, that you simply rely on your internal controls and processes to get you restored back up to some levels of functionality. We’ve seen situations where either A, the promised decryption key was never delivered; or B, it was delivered and didn’t work,” Green said.
An FBI official confirmed that the Bureau is responding to the incident.
“We are aware of the situation and we are coordinating with the city of Atlanta to determine what happened,” said Kevin Rowson, a public affairs specialist in the Atlanta Field Office.
Rowson told GT the Bureau was contacted “right around lunch time here,” between 11 a.m. and 12 p.m. Eastern Daylight Time. He declined to comment on the amount and nature of the ransom demand.
A representative of the Atlanta mayor's office declined to respond when asked to discuss the attack, indicating that her own computer terminal was currently down.
Atlanta Director of Communications Anne Torres did not respond to a request for comment.