March madness: Cyber-attack across Atlanta’s city servers enters fifth day

Looks like SamSam, experts say

A cyber-attack in Atlanta last week has caused a “massive inconvenience to the city”, according to the mayor of the state capitol, who spent the weekend fighting the breach that affected a number of services run by her office.

Mayor Keisha Lance Bottoms has been working with the FBI and the Department of Homeland Security after a piece of ransomware hit the city’s servers early on Thursday morning, causing disruption to websites used to pay bills and those related to issuing warrants.

Some data located on the city’s system was also encrypted, with attackers demanding $51,000 in bitcoin to unlock the entire system, as reported by 11Alive.

In a press conference on Friday, Bottoms stated that there was no evidence that citizen or employee data had been compromised, contravening initial fears, while maintaining that people should continue to keep a watchful eye on their financial transactions.

She added: “What we know is that someone is in our system and that there is a weakness there. It is absolutely not what we wanted to have happen in the city of Atlanta. But to the extent that there are changes and upgrades that we need to make to our system, we need to do it now.”

Bottoms would not say whether the city would pay the ransom and, as of today, officials remain unsure of who is behind the attack, which came in the midst of major public events being held across the city, such as March Madness basketball.

The FBI, unlikely advocates of paying any sort of ransom, will now be looking for a sample of the malicious software in order to determine whether it has been used in a previous attack. This would allow investigators to attribute responsibility and determine ways to stop the assailants.

Some experts believe that SamSam ransomware may have been used on Atlanta city’s servers due to the language used in the attack message and the likelihood of dated software, which the strain is known for exploiting.

SamSam is run by a known group that has purportedly collected approximately $850,000 in ransom payments since there attacks began, particularly on the healthcare sector, from at least 2016.

An attack with SamSam ransomware in February saw 2,000 computers belonging to the Department of Transportation (DOT) in Colorado shut down for about a week until the FBI was able to restore its systems. A second attack occurred not long after and the DOT continues to recover.

Numerous networks in Atlanta were taken down as a precaution, including the free public WiFi at Hartsfield-Jackson Atlanta International Airport – one of the world’s busiest airports. A Hartsfield representative told The Daily Swig that airport operations are otherwise running as normal.

The investigation continues as the cyber-attack enters its fifth day, with some services being completed over the phone and on paper.