Atlanta City Hall recovering from ransomware lockdown, mum on what happened

By Maggie Lee

Dozens of city elected officials and top staff lined up with Atlanta Mayor Keisha Lance Bottoms a week ago, as she stepped out of her office. She told the waiting mass of reporters and TV news cameras that it’ll be a marathon, not a sprint, to recover from a cyberattack that’s shut down some city online services and locked staff away from their files.

“We are dealing with a hostage situation. Just as we wouldn’t give away too much information if there were a physical hostage, we do have to be careful as we speak about timelines. But I can tell you we are working around the clock, we are asking the public to be patient,” Bottoms said at the time.

What’s being held ransom by one or more cyberattackers is the city’s ability to operate all its computer systems. A week ago, some city bill-pay websites were shut down, cops were writing reports by hand, some municipal court operations came to a halt and and city staff couldn’t access some of their own documents. The city has yet to recover.

City Councilman Howard Shook told the New Yorker that 16 years of his official information was gone: emails, contacts, files.

Bottoms said the city is working with public and private partners including companies, Georgia Tech and federal agencies to get the city back in IT-working order. She said there’s a lot that needs to be done with the city’s digital infrastructure and the ransomware attack has sped that up.

Asked if the city would pay the ransom, Bottoms said that nothing is off the table.

The reported ransom demand of $51,000 for a city with $170 million in reserves is like a hacker holding a family’s data hostage for the price of a lunch, according to Chris M. Roberts, an analyst at Georgia Tech’s Institute for Information Security and Privacy.  In a post on a Georgia Tech website, he asked whether the city should have just paid up and gotten back to work. In either case, he said, nothing is stopping another attack until the vulnerabilities are patched.

But he wrote that maybe the city should be thanking the hackers for forcing an investment in IT security.

“A different style of cyberattack could have cost you much more money. Maybe now you will be able to prevent those kinds of attacks. For the time being, it looks like potholes will remain,” he wrote.

As far back as 2015, the city has been working on getting certified as measuring up to best practices in information security. At the city’s request, a company recently looked over the work to see if Atlanta was ready to be certified as measuring up to standards.

But auditors found numerous gaps that would have prevented the city from passing a certification audit, according to a January 2018 report.

The city was missing things like documentation, instead relying on employees’ institutional knowledge to configure systems. Auditors found almost 100 servers running versions of Windows 2003 software which has been declared obsolete.

Gaps in processing and reporting could allow security issues to go undetected or untreated for periods of time that would pose an increased inherent risk level to the city, auditors wrote.

The signed onto a to-do list 23 items long that would stretch through 2018 and 2019 to finish.

The AJC reports it has received leaked emails that appear to reveal months-old warnings of vulnerability to cybercrooks.

Atlanta City Council President Felicia Moore said last week that council members had been briefed by Bottoms’ office, but said that the executive branch is handling the day-to-day operations of the city, which includes response to the cyberattack. She referred most questions there.

“I think Council is working cooperatively with the executive branch, even in easing back and making sure that they have the time to deal with the issue,” said Moore. “I believe Council stands ready … to do whatever we need to do to help move forward any initiatives that we need to deal with this situation.”

By Friday, the city announced some more steps toward recovery, like beginning to accept payments for water and sewer bills and business licenses in person at City Hall. The city is posting updates on a special website.

But it looks like Bottoms’ office is done answering questions.

On Thursday, in response to an email question about any ransom payment deadline, a Bottoms spokesperson wrote that they will not be commenting further on the cyberattack.

Here’s the statement from the mayor’s office in full:

“Above all else, the City has a responsibility to secure and protect our system’s infrastructure and the residents we serve. Following the advice of our federal partners and security experts, we will not be commenting further on the cyberattack. We continue to take a critical look at our systems and processes in order to ensure that we have the ability to continue serving our residents.

City services including Public Safety (Atlanta Police Department, Atlanta Fire Rescue Department, Department of Corrections, 911), Water Services Operations, Public Works and the Airport continue to operate without interruption. However, it’s important to understand that our overall operations have been significantly impacted and it will take some time to work through and rebuild our systems and infrastructure. We appreciate your patience and support through this challenge and we are grateful that the City of Atlanta and its people are resilient and will use this event as an opportunity to invest in and build a stronger, safer digital City.”