As reported by numerous media outlets, various key municipal departments in Atlanta came under attack from ransomware on March 22. As Kaspersky Lab’s Threatpost reports, a key area of the Atlanta ransomware attack targeted "various internal and external customer-related applications, including some that customers may use to pay bills or access court-related information." The threat actors behind the attack are demanding, according to local news station CBS46, a payout of six bitcoin (roughly $56,000) to obtain the decryption keys. It is not known at this time if the city intends to pay the ransom, but they have brought in the FBI and DHS to help aid in their investigation and incident response.
The ransomware has not, according to PR statements to the press, affected key infrastructure (like water and power) in as far as it functions. There have been issues with the payment system for such functions, however, which seems like the hackers were after payment information of residents among other monetary motivations. It is not known yet, though, if any personal or financial data in the civilian population or government worker population has been compromised. Immediately after the attack, Atlanta residents were unable to pay their bills online and, until the ransomware is completely removed, it appears that this will be a continuing issue.
As stated in a notice obtained by AJC, city employees are to remain off of their computers unless given explicit authorization. In a press conference, Atlanta chief operating officer Richard Cox did not state how the Atlanta ransomware attack occurred (which is understandable considering that the investigation is still in the early stages). If past experience with these types of attacks proves anything, however, it was likely human error.
All it takes is one person falling prey to a phishing email to set in motion the chain of events we are seeing in Atlanta. With the order for city employees to stay off their machines unless authorized, I’m inclined to think that this may be exactly what happened. This is merely speculation on my end, however, and in the coming weeks, there will likely be more clarity on the situation.