It sounded like a scene from a horror movie.
“We are dealing with a hostage situation,” Atlanta’s Mayor Keisha Lance Bottoms told reporters last month. The hostages weren’t people, however. Instead, computer criminals were threatening to permanently delete critical data unless the city met their demand—bout $50,000 in ransom, paid in bitcoin.
Instead of threatening, “Your money or your life!” the hackers were saying, “Your money or your data!”
The Details of Atlanta’s Ransomware Attack
Atlanta was partially crippled by the incident. Workers who tried to access files found only garbled data, sometimes with the sarcastic phrase “imsorry” or “weapologize” appended. Courtrooms couldn’t function. Water bills couldn’t be paid. Cops had to use pen and paper. A city council member lost 16 years of records. Even a week after the March 22 incident, many city services hadn’t fully recovered.
The Atlanta attack, reportedly the result of malicious software known as “SamSam,” is among the most high-profile ransomware incidents to date. But it’s really just the latest in a string of increasingly brazen attacks by criminals against mission-critical critical civic operations that can’t afford downtime.
SamSam attacks have successfully extorted more than $1 million from about 30 organizations this year, according to the New York Times.
The Impact of Ransomware Attacks
The damage ransomware inflicts can be even more expensive. In February, Colorado’s Department of Transportation computers were temporarily crippled by a cyber attack. After a month of furious efforts, the systems were mostly restored, but the agency hired more than 100 temporary staffers to help—at an estimated cost of $1.5 million.
Hackers are copycats, so when a certain kind of attack succeeds, imitators flock to the technique. The FBI received 3,000 reports of ransomware last year. And they can spread fast. Last year’s devastating WannaCry ransomware attack crippled healthcare organizations around the world, hitting the U.K. particularly hard—there, infected hospitals had to turn away ambulances at the height of the incident.
Ransomware attacks have been around for decades but rose quickly in prominence only a few years ago when hackers changed their tactics: Instead of targeting individual consumers, and their small checking accounts, they began hitting larger organizations. Criminals also lowered “prices,” making it more likely that target organizations make a business decision to meet their demands.
And criminals also began picking targets carefully. Back in 2016, the FBI issued a warning when it became clear that criminal gangs were using software like SamSam to specifically target hospitals.
Smaller government offices are a particularly rich target because they often have to maintain critical systems—like 911 centers—on slim IT and security budgets. In fact, Baltimore’s 911 system was temporarily disabled by a ransomware attack at about the same time as the Atlanta attack—one of two dozen city 911 systems targeted this year, according to security firm SecuLore Solutions.
In 2016, when ransomware attacks against state and local governments started heating up, things got so bad that the state auditor of Ohio held a press conference and pleaded with local government agencies to stop falling for them. He cited incidents where Peru Township paid $200 to recover from one attack, and county officials elsewhere paid $2,500.
Meeting Hacker’s Demands?
The FBI strongly recommends against meeting the hacker’s demands, but often local governments and other organizations often don’t take that advice. Paying the ransom is can be much cheaper than paying to recover from the loss of data.
At a security conference I attended recently, one expert shared this shocking piece of advice: She told me on background that she routinely tells clients to open bitcoin accounts in anticipation of a potential future ransomware attack, so the victim can act quickly to meet hackers’ demands if need be.
The math can be simple. Hollywood Presbyterian Medical Center in Los Angeles paid $17,000 to recover from a ransomware attack in 2016. But last year, Erie County Medical Center in Buffalo didn’t pay a $30,000 demand. It says recovery from the incident ultimately cost $10 million.
Atlanta has not yet said if it chose to make a ransom payment.
“If we were advising Atlanta as a client, our advice would be simple: Pay the ransom,” wrote Megan Reiss and Paul Rosenzweig on LawFareBlog. On the other hand, the writers say, it makes sense for the FBI to urge victims not to pay so the hackers aren’t encouraged to hit other cities. The macro-view and the micro-view aren’t aligned. “This episode is a prime example of a situation where what is good for the city is at odds with what is good for the federal and state governments.”
What You Can Do To Prepare For Ransomware Attacks
There are plenty of things for consumers to learn from the Atlanta incident, the Baltimore 911 incident, and other high-profile ransomware attacks.
1. It Could Happen to You
While crime rings target deep-pocketed organizations, there’s plenty of “off-the-shelf” ransomware that hackers can use to target individuals. Also, the WannaCry incident combined ransomware with a fast-spreading virus, potentially netting the hacker a big payday by demanding $300 each from victims.
The usual advice applies here: Don’t click on unexpected attachments or links, don’t insert USB drives that might be unsafe. Most importantly—be vigilant. If it can happen to Atlanta, it can happen to you.
2. Backups Are the Only True Protection
Antivirus software, security updates, and good digital hygiene (don’t click on that link!) all play a role in protecting you from ransomware. Eventually, you’ll get hacked anyway.
Plan for that ahead of time by having a strong backup routine. Ideally, that means having three copies of your life’s most critical dat—everything from tax forms to family photos—and make sure at least two of those copies are in different geographic locations.
A hard drive stored in your office won’t help you if your computer and your hard drive burn in a house fire. Cloud backups like Dropbox or Box are options to ensure you can access your data and information if your computer or laptop is compromised. (Backups will also help you in the unfortunate case of a natural disaster.)
3. Not All Backups Are Equal
Several municipalities that have fallen for ransomware have found out the hard way that even with their backups in place, restoration costs were still high.
Big Fork Schools in Montana had backed up its systems just two weeks before it was hit, so it declined a demand for $2,000-$4,000 in ransom, according to NPR.
The district survived, but it was still down a week and didn’t fully restore its systems for two months. You should constantly test your backups too, and even conduct a “fire drill” once in a while, making sure you know how you’d restore your data in a crisis.
4. Don’t Leave City Service Issues until the Last Minute
Know that your town, your state, your school system is under constant attack, and it’s quite likely that your region will be hit by a ransomware incident in the future. So even if you aren’t directly a victim, you can still be a victim. Some tips to prepare yourself:
- Have a plan in mind in case 911 doesn’t work. It’s not a bad idea to keep the direct phone numbers and addresses to your closest hospital, nearest fire station, and local police department as a backup in case you need to reach them directly.
- Don’t avoid paying parking tickets or taxes until the last day, in case a computer glitch gets in the way. Renew those dog licenses and library cards with plenty of time to spare, just in case.
- Pay your taxes with plenty of time to spare.