For the past five days, a mysterious group has been holding the city of Atlanta for ransom as federal authorities fight a computer attack that has crippled the city. Federal, local and state authorities are frantically trying to find a solution. More important, in the spirit of transparency, the city unwittingly committed a tactical blunder that may have erased any chance of fixing anything.
On Thursday, Atlanta Mayor Keshia Bottoms held a press conference announcing that the city’s computer network was the victim of a ransomware attack. The attack crippled the municipality’s computers and compromised systems used internally by city employees, as well as customer-facing applications used by vendors and regular citizens.
The city could not process court cases or warrants. Police officers had to write reports by hand. Jails were operating on pen and paper. The city could not take payments for traffic tickets. Everyone who had done business with the city was at risk. It was a mess.
New city Chief Operating Officer Richard Cox explained that the city was coordinating an effort to solve the crisis with the Department of Homeland Security, Microsoft, Cisco and a number of other organizations. The city eventually announced that the people who seemingly initiated the attack were demanding six bitcoins (about $51,000) to make it go away.
The hijackers informed the city that it had until Wednesday to pay the ransom or they would wipe the city’s computers clean. Although officials didn’t name the person or people responsible, it was clear who was behind this:
It was SamSam.
What is SamSam?
Think of a computer as your house. Now imagine that someone sneaked into your house, changed all the locks, left and refused to give you the combination unless you paid them for the house you owned. If that seems terrible, imagine if the home invaders started counting to 10 and told you that your house would burn to the ground unless you paid them before they finished counting.
That’s what SamSam ransomware does.
Just like your house, no computer is 100 percent secure. In 2015 a group of hackers began exploiting vulnerabilities in computer servers and loading them with ransomware encryption viruses. The virus essentially climbs through unlocked windows or unmonitored holes on computer servers and encrypts the data with a complex, unbreakable code.
Sometimes the hackers exploit users’ names and passwords to gain access. Other times they gain control by repeatedly attacking known weaknesses that aren’t monitored around the clock.
In most SamSam attacks, a countdown clock appears on a screen, along with a message informing the users of the compromised system that their computers have been locked down. The message gives details on how to pay the ransom (usually in bitcoins) and threatens to erase all the data unless the ransom is paid in full.
Does this ever work?
Almost always.
Although the SamSam scheme has been operational since 2016, it mostly targeted single computer users, encrypting their hard drives and demanding payments in bitcoins. Security patches and monitoring software began preventing widespread attacks, but new variants of the malicious code have ushered in a resurgence in 2018.
In May 2017, Erie County Medical Center in Buffalo, N.Y., had to wipe 6,000 computers clean because of a cyberattack. The hospital didn’t pay the $30,000 ransom, instead opting to pay $10 million in recovery costs. In January an Indiana hospital was hit with an attack that forced the company into paying a ransom of about $50,000. The Colorado Department of Transportation was hit twice this year, refusing to pay the ransom both times.
CSO reports that the group responsible for SamSam malware has made $850,000 in ransomware attacks.
So what’s up with Atlanta?
As of Monday, Atlanta apparently hasn’t decided whether it will pay the ransom. But make no mistake—Atlanta residents are still paying for the ransomware attack. Mayor Bottoms says that investigators know who is responsible for the attack, but they haven’t made the information public.
Why would the city not simply pay the ransom? Why won’t they tell who did it? Well, aside from the federal government’s strict rules against paying ransoms, it may have something to do with a blunder made by the city.
Apparently, in reporting the ransomware, the city provided media with a screenshot of one of the computers. The screenshot included the wallet address of the SamSam wallet, and savvy online sleuths noticed that it was similar to the address used by the group that executed the Colorado Department of Transportation attack.
As the screenshot spread around the internet, people began asking questions of the group, and they deleted the portal to the bitcoin wallet. As of now, unless the city has been contacted again, there might not even be a way to pay the ransom by the Wednesday deadline even if the city wants to pay the hijackers.
“We are a resilient city and we will get on the other side of this,” Bottoms said during a Monday press conference. “This is bigger than a ransomware attack; it’s an attack on government and therefore an attack on all of us.”
The city is still recovering from the attack, trying to get systems up and running. Officials are trying to update systems with data stored in the cloud and from backups not affected by the attackers. The city can’t yet validate warrants for people who haven’t shown up to court, and employees have been told to unplug their computers if they notice anything suspicious.