Looking back on the City of Atlanta ransomware attack, a year later

One year ago today, word broke that the City of Atlanta had been hit by a ransomware attack.  I won’t bore you with the details, you can find them out on the Internet in lots of different places.

As it dawned on me today that we were at a milestone of sorts, I asked myself “what do we know, what do we not know, and what have we learned” about the attack and its aftermath.

The answer is:  we know a little bit about some aspects of the incident, but almost nothing about most of what happened, or what’s been done since then.

For starters, the City of Atlanta publicly divulged very little about the scope of the attack, or how much money they spent to recover.  They have also not publicly divulged what steps they have taken to lessen the possibility of an attack like this from happening in the future, nor have they publicly spoken about future budgeting for IT, security, and risk management functions.

Initially, the city set up a page on their website to keep the public informed.  However, that page was short on details, and never updated after it was stood up initially.  The page was taken down sometime between August 11 and December 4, 2018, according to data found here

There were drips of information from time to time, but no coordinated effort to keep the public informed.  A reporter covered a June budget meeting where Daphne Rackley, the interim CIO, asked for $9.5 million in additional department funding to aid in recovery efforts.  Ms. Rackley also went on to say at the meeting that their original estimates about the scope of the damage (20% of systems impacted but no critical infrastructure damage) was much lower than reality.  In fact, Ms. Rackley said that they were still learning of infected systems in June.

Also at the June budget meeting, the interim City Attorney said that 71 of 77 systems had been infected with the ransomware and that her office had lost a decade of legal documents.

What else do we know about the attack and its aftermath?

  • The Chief of Police confirmed that her department lost years of dashcam video footage because of the ransomware attack.
  • There were confirmed reports of emergency spending in the amount of $2.6 million in the days immediately after the attack occurred, but no official statement from the city.  
  • In December 2018, the Department of Justice announced they had indicted two Iranian nationals for the ransomware attack.

We do we not know?

  • How much the City of Atlanta ultimately spent on post-attack recovery efforts.
  • If the City’s IT infrastructure is more mature and resilient today than a year ago.
  • If the City’s overall security posture has improved since the attack.

We do not know these things because the City of Atlanta chooses not to talk about any of them, at least publicly.

This is all we know, a year to the day after the ransomware attack was launched.

Now, what have we learned?

  • We have learned that the City of Atlanta is very good at not talking publicly about incidents.
  • We have had reinforced, the notion that the public has a very short attention span about incidents like these.
  • We have learned that ransomware attacks are popular, lucrative, and fairly easy to stage, based on the number of subsequent attacks across the globe.
  • We have learned that even with service outages, lost data, and personal inconvenience – the City can still function and that its citizens dealt with it all.

1 thought on “Looking back on the City of Atlanta ransomware attack, a year later”

  1. Wow. $9.5 million in additional department funding to aid in recovery efforts and $2.6 million for initial incident response efforts! That’s enough to put most small-medium sized businesses out of business for a similar type of event.
    Also consider the amount of hell government agencies put their vendors through to demonstrate compliance with NIST 800-53 and 800-171. The city was obviously not eating their own dog food!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s