So far, Atlanta's ransomware costs top $2.6 million
The city has already spent $2.6 million recovering from a ransomware attack that demanded a roughly $51,000 payment.
Atlanta has spent $2.6 million recovering from a ransomware attack that demanded a roughly $51,000 payment.
The March 22 attack encrypted data across computers in Atlanta's city government offices, affecting which affected various internal and customer facing applications, including those in the Police Department, Watershed Management, Procurement, City Planning, Public Works, Human Resources, ATL311, the Municipal Courts, Correction and Parks and Recreation.
Atlanta's procurement website showed that, as of April 24, the city's Information Management Agency, the Municipal Courts and the Department of Law had paid $2.6 million to eight vendors. SecureWorks received $650,000 for emergency incident response services; the city paid $730,000 to Fyrsoft for Microsoft cloud, Active Directory and Windows 10 support; and $600,000 went to Ernst and Young for advisory services related to cyber incident response.
And while a $2.6 million bill is enough to make any CIO queasy, it's not an exorbitant amount, according to Chris Duvall, senior director of the Chertoff Group, which specializes in risk management. The city probably had to pay not just for remediation, but also insurance claims, privacy monitoring and missed services, he told Wired. Overtime, crisis communications, legal consulting and lost productivity will have added to the bill.
The ransom was never paid, Atlanta city spokesperson Michael Smith confirmed to ZDNet in an email. Had it paid the ransom, it would like never have discovered how the attackers got in and moved through agency networks, a chief information security officer told the news site.
That stand will likely help the city bolster its overall cybersecurity posture, and the remediation costs will likely move cybersecurity -- including zero-trust policies, segmented networks, ongoing maintenance, secure storage and patch management -- to the top of the agenda in future city business meetings.
"The ROI is clear, consider the costs and material loss of your company going down for a day, versus shifting priorities to give your engineers more time to manage patches properly," Yonathan Klijnsma, a threat researcher with a digital threat management firm RiskIQ, said after the attack. "It’s not a good time to roll the dice.”
As bad as the attack was, the city's cloud-first strategy may have mitigated some of its effects, interim CIO Daphne Rackley said in a press conference shortly after the attack. She said the city had been migrating some of its major systems to the cloud to increase their security.
But even cloud-based systems need backup. Organizations that "leverage cloud services without backup are especially vulnerable, since they often replace redundant infrastructure, portals or data storage," said John Hodges, VP of product strategy at software vendor AvePoint.
"This underscores the need to understand the data you hold to avoid redundant storage," Hodges said. "Keeping the business going is now a matter of rollback (loss of a small amount of work), or a minor inconvenience (redirecting to a new system) and not a catastrophic loss of access, as it was in this case."
NEXT STORY: CISO-as-a-service for Michigan municipalities