Time is running out for the city of Atlanta, which was given until Wednesday to pay off the cyberattackers who laid siege to city government data and are threatening to wipe the computers clean.
But, as Georgia Public Broadcasting’s Emily Cureton reported for NPR, even if officials authorized the six-bitcoin ransom payment — currently worth about $51,000 — to lift the wall of encryption paralyzing a number of city services, it’s not clear whether there is anywhere to send the money.
The payment portal set up by the hijackers for the infected systems, which included a countdown clock, was disabled days before the deadline after a local TV news station tweeted out an unredacted ransom note it obtained from a city employee. It contained a link to a bitcoin wallet leading directly to a group known for using SamSam ransomware.
It didn’t take long for people to begin bombarding the hackers with questions about the attack via the exposed portal, risk management company CSO reported. Initially, the hackers demanded more money before they would respond to those inquiries and later scrapped the entire contact form, saying they were taking it down because of too much spam.
While it’s possible other portals exist, city officials have not confirmed that is the case. Nor have they confirmed the identity of the hackers.
Still, the SamSam group is known for choosing targets with weak security and high incentives to regain control of their information and therefore are very likely to pay. Since December 2017, it has collected nearly $850,000 in ransoms from victims in health care, education and government, according to CSO. Last month, the city of Leeds, Ala., paid ransomware hackers $12,000 to release data in a similar attack.
Researchers working for Talos, a company that is investigating SamSam, say this is the first time the group “has publicly deleted or deactivated a portal prior to the seven-day clock expiring. While it’s possible they’ve taken such actions before, reports of those incidents haven’t been shared publicly.”
An audit of Atlanta’s information technology department shows the city was warned this could happen months ago, Cureton told NPR.
“The audit found a significant level of preventable risk to the city. The auditor writes there were long-standing issues, which city employees got used to and also didn’t have the time or resources to fix. The audit concludes Atlanta had no formal processes to manage risk to its information systems.”
And a Georgia-based cybersecurity firm called Rendition Infosec on Tuesday tweeted that it had uncovered data showing a handful of city computers came under attack last year.
“We dug into our data and perhaps unsurprisingly, at least 5 of their machines were compromised in April 2017,” the company’s owner, Jake Williams, wrote.