Lessons from the Atlanta hack: Ransomware, bitcoin and denial

It can’t happen in my city?

On March 22, 2018, the government of Atlanta came under attack. A hacker broke into the city’s computer network and encrypted government files, locking down crucial city services until a bitcoin ransom was paid. CNN reported it was $51,000 — but the Atlanta hack cost a whole lot more than a bit of digital currency.

Six days later, Atlanta was just coming back online.

Reuters reports that it was the most costly ransomware attack to ever hit an American city. But the technology industry knows a deeper truth — this is only the beginning.

What happened during the Atlanta hack

“Winston Churchill once said, ‘Success is walking from failure to failure with no loss of enthusiasm.’ By his definition, government has been extremely successful in stopping ransomware attacks.”
~ Morgan Wright, The Hill

PR spin aside, the Atlanta hack was a disaster. By the end of March, city officials were still making paper reports while trying to recreate documents on personal laptops.

The full extent of damage caused by the Atlanta hack isn’t understood because city officials circled the wagons over their big and costly mistake. As Reuters reported: “City officials have declined to discuss the extent of damage beyond disclosed outages that have shut down some services at municipal offices, including courts and the water department.”

We do know that a number of services were negatively affected, from police files to financial information. The City Auditor said her files were just “gone,” and the Atlanta police department reverted to written case files. Municipal (not criminal) court cases were canceled, and residents couldn’t pay their utility bills or parking tickets online, according to CNN. City employees were also told to contact credit agencies and watch their bank accounts for fraudulent activity.

By the end of March, files were still being rebuilt and forms handwritten. At the time of this writing, Atlanta was working with the FBI and the Department of Homeland Security to figure out their next move.

The Atlanta hack and coal-mine canaries

Atlanta Hack Canaries

If Atlanta were a mine, the canaries would have died in their cages about nine months before the Atlanta hack. That’s when an external security monitoring service noted that one of the Atlanta City Council servers had connected with a blacklisted IP address associated with ransomware.

“I just want to make the point that this is much bigger than a ransomware attack. This is really an attack on our government, which means it’s an attack on all of us.”
~ Atlanta Mayor Keisha Lance Bottoms, on CNN

WSB-TV 2 broke the story just seven days after SamSam ransomware locked down City Hall. Whether that potentially infected server spread the virus remains to be seen. City officials have certainly avoided admitting culpability in the Atlanta hack — which will surely cost taxpayers big bucks in lost efficiency, data recovery and improved network security.

But if cities like Atlanta were paying attention to the rest of the world, the red flags were large and visibly flapping for years.

From WannaCry to SamSam to … (hackers, fill in the blank)

Question: What’s the best way to make money right now if you’re a hacker?

Answer: Ransomware.

Ransomware — which was used in the Atlanta hack — is malicious software (malware) that locks a computer and prevents access until a fee is paid to the hacker. This fee is usually payable in Bitcoin, a form of cryptocurrency. Hackers have been gradually upping the size and scope of their ransomware targets, from consumers to small business, enterprise organizations — and now to crucial infrastructures like hospitals and city governments.

Cybersecurity experts have been discussing ransomware for years. Krebs on Security suggests that the next level of malware is actually RAAS or ransomware-as-a-service. Today, for about $400 anyone can buy cybercrime software designed to infect computers, complete with a Google map allowing the hacker to track the spread of the virus.

The rest of the world suddenly got hip to ransomware in May 2017 when the WannaCry virus leached onto more than 200,000 computers in 150 countries. The attack took down banks in Spain and hospitals in the UK, telecom providers — and a whole lot more. Suddenly ransomware was being discussed on the nightly news in the U.S.

“According to a new report by Intel Security, the healthcare sector is experiencing over 20 data loss incidents per day related to ransomware attacks.”
~ Krebs on Security

Here’s how widespread this problem has grown:

  • PYMNTS.com estimated if everyone paid the ransom that year hackers would have made around $60 million.
  • In one year (2016 to 2017), reported incidents of ransomware increased by 90 percent.
  • In 2017, ransomware attacks cost $5 billion in cleanup fees and lost productivity.

According to Wired, the SamSam malware alone has netted hackers hundreds of thousands of dollars every year since it was identified in 2015 — well before the Atlanta hack made the news. But tech geeks suggest that the money rolling in from ransomware is much, much higher. Why?

Say your organization is a global financial behemoth, entrusted with the assets of big-name clients. If a ransomware breach occurs, how likely would a PR nightmare ensue? Wouldn’t it make more sense, from a PR perspective, to just pay up, unlock the computers, and then conduct business as usual?

Of course, this is just conjecture.

However, the FBI sent out a warning in 2016 urging ransomware victims to report these infections as crimes. One would assume the FBI realized that enterprise organizations would simply not want the public to know how vulnerable their data really is to cyber breach.

Editor’s note: Why worry about malware when GoDaddy can do it for you? Check out GoDaddy’s Website Backup service, which features built-in daily malware scanning, automatic daily backups, easy one-click restore and more.

The Atlanta hack as an early warning

Atlanta Hack Caution Warning

There’s a reason hackers are targeting infrastructures like hospitals and city government — they’re easy targets and they pay up. But is anyone in government paying attention to what happened in Atlanta?

Morgan Wright wrote a scathing indictment of our failure to protect critical infrastructures after the Atlanta hack. Wright reported 184 ransomware attacks against safety agencies such as our 911-systems in the last two years. He writes:

“Ransomware isn’t half as destructive as the denial exhibited by government officials in the face of this electronic onslaught. The bill for ignorance and short-sightedness has come due, and it’s payable only in bitcoin.”

Given that ransomware is lucrative and evolving, Wright’s warning is both timely and accurate. The question is — is anyone listening?

Robin Walters
Robin Walters is a seasoned but not too salty full stack marketing nerd. She likes long walks on the beach with her five dogs, but she’s landlocked in the Midwest. By day, Robin is an IT recruiter for a software firm. At night and on weekends she writes a crap load of copy. Robin lives on a farm with her partner of 25 years. It’s a good life and she’s happy to still be in it.