Following Atlanta's ransomware attack last month, the city disclosed it has paid just under $2.7 million in recovery costs from March 22 to April 2, according to Atlanta's Department of Procurement. The unpaid ransom demanded $51,000 to unlock Atlanta's technical infrastructure, making recovery costs more than 50 times the ransom.
To recover services, the majority of funds were dispersed to two city departments. For example, $650,000 was paid to SecureWorks for its emergency incident response services on March 26 for Atlanta's Information Management agency. And Atlanta's Municipal Courts paid Fyrsoft $730,000 on March 29 for Microsoft cloud, client stack design and build; pro services for Azure Active Directory; and Windows 10 services.
- The portal to communicate with the hacker group behind the attack, SamSam, was shut down, hindering the ability to pay the ransom, reports CSO. But the SamSam group has a "seven-day policy" for when a ransom should be paid. It is unknown if the city considered paying the ransom, which was left unpaid, before the portal closed.
In the end, Atlanta paid far more than the cost of the $51,000 ransom. But even it had paid — which is seldom recommended — there is no guarantee there would not have been residual costs or damages.
Since the ransomware attack, city officials started working with the FBI, Department of Homeland Security and companies in the private sector, including Microsoft and Cisco.
Often opportunistic with minimal risk for the hacker, ransomware attacks are becoming more prevalent. But of all malware attacks, 56% are ransomware attacks, according to Verizon's 2018 Data Breach Investigations Report.
The SamSam group effectively turned Atlanta's technical infrastructure on its head, leaving city council employees to share "a single clunky personal laptop" while they worked to recreate audit spreadsheets.
SamSam is known for targeting entities that "cannot afford the down time" and Atlanta is no exception. The group is also known for proposing affordable ransoms compared to the overall value and assets of its targets.
However, because ransomware attacks are growing in frequency, it is not uncommon for large organizations to have a reserve fund to pay a ransom when they can't afford to be locked out of their systems for a substantial amount of time.