In the spring of 2018, cybercriminals compromised several computer networks in Atlanta City Hall to launch a ransomware attack. From there, cybercriminals limited access to a wide range of online platforms, municipal activities and databases – which requires that a significant ransom be paid in exchange for restoration. Still, the city of Atlanta refused to reward cybercriminals and did not pay ransom. As a result, the city of Atlanta's ransomware attack took several months to recover, disrupting various government services for extended periods and costing millions of dollars in damage.
This incident has become known as one of the most costly cyber attacks affecting a local government, showing how serious the ransomware threats are. After reflection, there are a variety of cybersecurity lessons that organizations can learn by examining the details of this incident, its impact, and the mistakes that the city of Atlanta made along the way. Here's what your organization needs to know.
Details of City of Atlanta Ransomware Attack
On March 22, 2018, cybercriminals used brute-force techniques to access multiple networks connected to Atlanta City Hall. Using these techniques involves, rather than manipulating employees to disclose their network data for such access, cybercriminal cracking password cracking algorithms to secure credentials. After gaining access to government networks, cybercriminals launched their attack using a custom form of malware called SamSam ransomware.
The attack jeopardized critical technology and information in Atlanta and disrupted important municipal functions within several city departments. In particular, the incident disrupted online payment programs for various services (eg tools, traffic tickets and business licenses or renewals) and a number of law enforcement measures, including the issuance of warrants, processing protocols and the payment of court fees. In addition, the Atlanta police lost access to virtually all of their archived videos in the vehicle and even had to temporarily resort to writing incident reports by hand.
As part of the ransomware attack, cybercriminals demanded payment of over $ 50,000 in bitcoin before restoring any technology or information to the Atlanta government. However, the city refused to comply with the demands of the cybercriminals; Government officials did not want to reward the behavior of cybercriminals with payment, nor were they convinced that such a payment would result in restoration.
By not paying the ransom, the city was forced to recover from the attack on its own in the coming days, weeks and months. It took the Atlanta government five days to regain access to critical technology. To prevent further cyber-related damage, the city kept Wi-Fi at Hartsfield-Jackson Atlanta International Airport off for 10 days after the incident until April 2. The government could not restore its online payment programs until May, while local law enforcement could not fully resume digital operations until June.
The Impact of the City of Atlanta Ransomware Attack
Following this large-scale ransomware attack, the Atlanta government had many consequences, including the following:
First, the incident disrupted many important functions within Atlanta – government, in particular payment platforms and law enforcement services. Although the city was fortunate enough to maintain control over rescue operations (such as 911 dispatch) and important community offerings (such as water and electricity) during the attack, the disrupted municipal services still caused problems for both government employees and Atlanta residents. . What's worse, many of these outages continued for extended periods as the city recovered from the incident, exacerbating concerns. While the Atlanta government made the right decision not to pay ransom during this attack, it is important to note that it can often lead to a lengthy recovery process.
Thereafter, the cost of recovering from the attack can be severe. In total, the incident is estimated to have cost both the city and its taxpayers almost $ 17 million. By breaking down these recovery costs, the Atlanta government spent about $ 6 million in its initial response to the attack. This amount includes developing emergency agreements to help restore compromised technology. hire a forensic team to further investigate the incident; consultation of crisis communication specialists; and implement necessary security upgrades. The remaining $ 11 million went to repairing or replacing damaged government systems and technologies, including desktops, laptops, and smart devices. In addition, some information in the law enforcement databases was permanently destroyed during the attack, representing an irreparable loss.
Finally, the Atlanta government faced extensive scrutiny of its outdated cyber infrastructure after the incident. Some IT experts blamed the city's security shortcomings for contributing to the seriousness of the attack. In fact, an audit conducted just two months before the incident stated that there were between 1,500 and 2,000 total vulnerabilities identified within the Atlanta Government's digital activities and technologies – indicating that the city  had been satisfied with cyber security.
Lessons from the City of Atlanta Ransomware Attack
There are several cyber security downloads from the City of Atlanta ransomware attack. Specifically, the event emphasized these important lessons:
Effective access controls are critical. Since this incident originally stemmed from brute-force methods, it is important to understand how to defend oneself against such tactics. Specifically, if the Atlanta government had stricter employee access controls at the time of the attack, cybercriminals could have been stopped before they could infiltrate state networks and launch ransomware. After all, it is much more difficult for cybercriminals to crack passwords and gain access to networks when employee credentials come with strict security protocols. Valuable access control tactics include the following:
- Instruct employees to develop complex and unique passwords for their accounts in addition to changing these passwords on a routine schedule
- Implement multi-factor authentication measures that require employees to verify their identities in several ways (t. eg entering a password and answering a security question)
- Restrict employees' digital access only to the technology, networks and data they need to perform their tasks
- Segment different workplace networks to prevent all networks from being compromised if a individual employee credentials are utilized
Security software is worth it.
In addition to proper access controls, a wide range of security software may have helped the Atlanta government detect, mitigate and possibly prevent this attack. While this software may seem like an expensive investment, it is well worth it to avoid devastating cyber incidents. Key security programs that you should consider include network monitoring systems, data backup and encryption, antivirus software, endpoint detection products and patch management tools. This software should be used on all workplace technologies and updated regularly.
Response response plans are required.
If the city had been prepared to respond to this incident, the recovery process could probably have been much faster and then much cheaper than it was. Instead, the Atlanta government took several months to fully recover from this incident, which ultimately increased concerns about disruption and exacerbated the overall cost of the attack. Such extended recovery questions emphasize the importance of having an effective response response plan. This type of plan can help an organization establish rapid response protocols for remaining operational and mitigate losses in the event of a cyber incident. A successful incident management plan should describe potential cyberattack scenarios, methods for maintaining key functions under these scenarios and the people responsible for it. It should be routinely reviewed through various activities – such as penetration tests and table top exercises – to ensure efficiency and identify ongoing security gaps. Based on the results of these activities, the plan should be adjusted as needed.
Proper coverage can provide vital protection.
Finally, this attack made it clear that no organization – not even a local government – is immune to cyberattacks and subsequent losses. In addition, these events increase in both cost and frequency. This is why it is crucial to ensure adequate protection against cyber-related losses by ensuring proper coverage. Make sure your organization works with a reliable insurance professional when navigating these coverage decisions.
We can help you.
In the unfortunate event that your company falls victim to a cyber attack, of any kind, we can help you recover.
Cyber- and data intrusion insurance is developed daily when new threats emerge and new insurance companies enter the market.
Regardless of the type of business, one thing is for sure, if you are a company in operation today, you face cyber risks. Which means you need to thoroughly understand your risk of loss, how you would react if a loss occurred and if Cyber & Data Breach Liability coverage makes sense to you.
The coverage level your company needs is based on your individual business and may vary depending on your exposure range. It is important to work with an insurance advisor who can identify your risk areas and adapt a policy that suits your unique situation.
If you want additional information and resources, we will help you analyze your needs and make the right coverage coverage to protect your business from unnecessary risks. You can download a free copy of our e-book, or if you are ready, make Cyber Liability Insurance part of your insurance portfolio, Request a suggestion and we will drive for you.