Content, Breach, Ransomware

Ransomware Cripples Atlanta Network; Hackers Demand $50K to Decrypt

Cyber extortionists on Thursday morning took down parts of the City of Atlanta’s network infrastructure, hijacking some applications that customers use to pay bills or access court-related information.

The kidnappers sent this ransom note: (via the local CBS outlet)

Send .8 bitcoins for each affected PC or six bitcoins to receive ALL private keys for ALL affected PCs.

After sending .8 bitcoins, leave a comment on our site with this detail: Just write your "host name" in your comment. your host name is COU-Pc0BY047.

We will reply to your comment with a decryption software. You should run it on your affected PC and all encrypted files will be recovered. Our site address: http://jcmi5nc3mvgtyt5.onion/nonpentetrable/.

Six bitcoins are valued at about $52,000 on the open market.

City officials subsequently posted this on Twitter:

“The City of Atlanta is currently experiencing outages on various customer-facing applications, including some that customers may use to pay bills or access court-related information. Our @ATL_AIM team is working diligently with support from Microsoft to resolve this issue. remains accessible. We will post any updates as we receive them. Thank you for your patience.”

Cisco's incident response teams are also involved in the investigation, officials said.

The Atlanta Municipal Court sent out a similar message. Atlanta’s public safety offices, water services and the police and fire department's computer systems have not been infected with the ransomware, officials said. City employees were told Friday morning as they came to work not to turn on their computers until the municipal IT team gave the all clear. As of Friday afternoon, Atlanta officials hadn’t said if they plan to pay the ransom.

“We can’t speak to that right now,” Atlanta Mayor Keisha Lance Bottoms said. “We will be looking for guidance, specifically from our federal partners.” The FBI, the Department of Homeland Security and the Secret Service have been contacted.

Bottoms advised employees at a news conference Thursday afternoon to monitor their bank accounts because city officials don’t yet know for sure how deep the breach has reached (via the Atlanta Journal-Constitution). "Let's just assume that if your personal information is housed by the City of Atlanta, whether it be because you are a customer who goes online and pays your bills or any employee or even a retiree, we don't know the extent, so we just ask that you be vigilant," Bottoms said.

Even though the attack hadn’t spread beyond Atlanta’s municipal offices, officials at Atlanta’s Hartsfield-Jackson airport took its network offline as a precautionary measure, the AJC reported.

As of Friday afternoon, the city was still working on mitigating the attack and didn't know with certainty that it had ended. "What we want to make sure of is that we aren’t putting a Band-Aid on a gaping wound. We want to make sure that we take the appropriate steps," Bottoms said. “This is a massive inconvenience to the city it is not life and death,” she said. (via USA Today)

Last December, a ransomware attacker disabled the Georgia Department of Agriculture’s network for 11 days. In that incident, officials didn’t pay the ransom while IT security teams restored the systems.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.