Atlanta strategizes on how to recover from cyberattack

After hackers scrambled Atlanta's municipal records with a computer virus, the city has been working to continue operations while also debating whether or not to cooperate with the demands of cyber aggressors. 

John Spink/Atlanta Journal-Constitution/AP
Linda Crossland offers directions to a visitor of City Hall on March 23, 2018 in Atlanta. On that morning, city government employees were handed instructions not to turn on their computers or log on to their work stations after the discovery of a widespread computer virus.

Atlanta's top officials holed up in their offices on Saturday as they worked to restore critical systems knocked out by a nine-day-old cyberattack that plunged the southeastern United States metropolis into technological chaos and forced some city workers to revert to paper.

On an Easter and Passover holiday weekend, city officials labored in preparation for the workweek to come.

Police and other public servants have spent the past week trying to piece together their digital work lives, recreating audit spreadsheets and conducting business on mobile phones in response to one of the most devastating "ransomware" virus attacks to hit an American city.

Three city council staffers have been sharing a single clunky personal laptop brought in after cyber extortionists attacked Atlanta's computer network with a virus that scrambled data and still prevents access to critical systems.

"It’s extraordinarily frustrating," said Councilman Howard Shook, whose office lost 16 years of digital records.

One compromised city computer seen by Reuters showed multiple corrupted documents with "weapologize" and "imsorry" added to file names.

Ransomware attacks have surged in recent years as cyber extortionists moved from attacking individual computers to large organizations, including businesses, healthcare organizations, and government agencies. Previous high-profile attacks have shut down factories, prompted hospitals to turn away patients, and forced local emergency dispatch systems to move to manual operations.

Ransomware typically corrupts data and does not steal it. The city of Atlanta has said it does not believe private residents' information is in the hands of hackers, but they do not know for sure.

City officials have declined to discuss the extent of damage beyond disclosed outages that have shut down some services at municipal offices, including courts and the water department.

Nearly 6 million people live in the Atlanta metropolitan area. The Georgia city itself is home to more than 450,000 people, according to the latest data from the US Census Bureau.

City officials told Reuters that police files and financial documents were rendered inaccessible by unknown hackers who demanded $51,000 worth of bitcoin to provide digital keys to unlock scrambled files.

"Everything on my hard drive is gone," City Auditor Amanda Noble said in her office housed in Atlanta City Hall’s ornate tower.

City officials have not disclosed the extent to which servers for backing up information on PCs were corrupted or what kind of information they think is unrecoverable without paying the ransom.

Ms. Noble discovered the disarray on March 22 when she turned on her computer to discover that files could not be opened after being encrypted by a powerful computer virus known as SamSam that renamed them with gibberish.

"I said, 'This is wrong,' " she recalled.

City officials then quickly entered her office and told her to shut down the computer before warning the rest of the building.

Noble is working on a personal laptop and using her smartphone to search for details of current projects mentioned in emails stored on that device.

Not all computers were compromised. Ten of 18 machines in the auditing office were not affected, Noble said.

Atlanta police returned to taking written case notes and have lost access to some investigative databases, department spokesman Carlos Campos told Reuters. He declined to discuss the contents of the affected files.

"Our data management teams are working diligently to restore normal operations and functionalities to these systems and hope to be back online in the very near future," he said. By the weekend, he added, officers were returning to digital police reports.

Meanwhile, some city employees complained they have been left in the dark, unsure when it is safe to turn on their computers.

"We don't know anything," said one frustrated employee as she left for a lunch break on Friday.

Like City Hall, whose 1930 neo-Gothic structure is attached to a massive modern wing, the city’s computer system is a combination of old and new.

"One of the reasons why municipalities are vulnerable is we just have so many different systems," Noble said.

The city published results from a recent cyber-security audit in January, and had started implementing its recommendations before the ransomware virus hit. The audit called for better record-keeping and hiring more technology workers.

Councilman Shook said he is worried about how much the recovery will cost the city, but that he supports funding a cyber-security overhaul to counter future attacks.

For now his staff are temporarily sharing one aging laptop.

"Things are very slow," he said. "It was a very surreal experience to be shut down like that."

Mayor Keisha Lance Bottoms, who took office in January, has declined to say if the city paid the ransom ahead of a March 28 deadline mentioned in an extortion note whose image was released by a local television station.

Mr. Shook, who chairs the city council's finance subcommittee, said he did not know whether the city is negotiating with the hackers, but that it appears no ransom has been paid to date.

The FBI, which is helping Atlanta respond, typically discourages ransomware victims from paying up.

FBI officials could not immediately be reached for comment. A Department of Homeland Security spokesman confirmed the agency is helping Atlanta respond to the attack, but declined to comment further.

Hackers typically walk away when ransoms are not paid, said Mark Weatherford, a former senior DHS cyber official.

Mr. Weatherford, who previously served as California's chief information security officer, said the situation might have been resolved with little pain if the city had quickly made that payment.

"The longer it goes, the worse it gets," he said. "This could turn out to be really bad if they never get their data back." 

This story was reported by Reuters. 

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to

QR Code to Atlanta strategizes on how to recover from cyberattack
Read this article in
QR Code to Subscription page
Start your subscription today