Atlanta Projected To Spend At Least $2.6 Million on Ransomware Recovery

Atlanta is setting aside more than $2.6 million on recovery efforts stemming from a ransomware attack, which crippled a sizable part of the city's online services. ZDNet reports: The city was hit by the notorious SamSam ransomware, which exploits a deserialization vulnerability in Java-based servers. The ransom was set at around $55,000 worth of bitcoin, a digital cryptocurrency that in recent weeks has wildy fluctated in price. But the ransom was never paid, said Atlanta city spokesperson Michael Smith in an email. Between the ransomware attack and the deadline to pay, the payment portal was pulled offline by the ransomware attacker. According to newly published emergency procurement figures, the city is projected to spend as much as 50 times that amount in response to the cyberattack. Between March 22 and April 2, the city budgeted $2,667,328 in incident response, recovery, and crisis management.

Ouch

[Errol+backfiring]

That's a lot of money to restore a backup.

Re:Ouch

[msauve]

More than "a backup," likely thousands of backups, with re-imaging of systems first. Plus, fixing the vulnerability and re-entering any manually processed data since the backup date. And that's assuming they have off-line backups which weren't affected by the attack.

Re:Ouch

[bartle]

A company can have a 100% backup solution and it may still be worth their while to pay the ransom. The decryption process can be applied to all machines simultaneously, bringing them back online in perhaps a few hours. Alternatively, a thorough restore from tapes fetched from Iron Mountain could take a week or two.

Restoring from backup is a great solution for individuals, but large networks are unlikely to have a backup solution that can scale as well as a ransomware worm can. For large organizations, their money is best spent on preventing infection in the first place and mitigating it when it does occur.

Re:Ouch

[msauve]

If you think making trite comments indicating a shallow understanding of the subject makes you clever, it doesn't.

Re:Ouch

[Wycliffe]

A company can have a 100% backup solution and it may still be worth their while to pay the ransom.

Yes, assuming you can trust the criminal, it could possibly be cheaper but you should NEVER pay a ransom. It only open you and everyone else up for more ransom. I would much rather see paying ransoms outlawed and the government require everyone to carry ransom insurance and then have the insurance company pay to fix the problem. The advantage of this approach would be that if the insurance company pays for the recovery it reduces the incentive to pay the ransom and hopefully ransomware disappears. If we want ransomware to disappear, we need to make sure that it's cheaper and easier to not pay a ransom than it is to pay a ransom so that noone is tempted to pay a ransom. Another alternative is to make sure that the penalty for paying the ransom is so severe that noone is tempted.

Re:Ouch

[rickb928]

This is simple. If Americans will never, ever be ransomed, then nothing is lost by killing the American captives.

And this ensures that those nations that will pay are further convinced of the willingness of the captors to kill their captives, and more likely to pay.

This is reinforcing. Changing the policy of those nations that would pay will likely result in dead captives for a period, until the captors are convinced there is no money in the enterprise. This is a high cost, and the policy could be rolled back under pressure. The cycle begins again.

Re:Ouch

[rally2xs]

Wouldn't click on that supposed youtube video for all the tea in China. Gotta be malware at the other end...

Good job they made that figure public

[Oswald+McWeany]

Now hackers know how much they can reasonably demand from Atlanta.

Re:Good job they made that figure public

[olsmeister]

If you are looking for ransom, I can tell you I don't have money. But what I do have are a very particular set of skills; skills I have acquired over a very long career. Skills that make me a nightmare for people like you.

even if they had paid

[bugs2squash]

Even if they had paid the ransom they would still need to fix the security holes though, so at least some of the extra expenditure is well justified.

Re:even if they had paid

[sl3xd]

I also remember seeing that the majority of those that pay ransomware are unable to recover data anyway.

Paying the ransom does only two things:

1. Encourages more ransomware, as it "works" as a business model
2. Would cost Atlanta another 55,000 in addition to the $2.6+ M to fix the problem.

Good to hear it works.

[houghi]

Always good to hear that it works. Remember people: backups are not about the fact if you take backups, but how fast you restore WHEN you need to.
The same goes for contingency. You do not check if the procedures are in place. You test it so you are ready WHEN it is needed.

One should always assume that something happens to all your data.

Also know that a copy of your data is not the same as a backup. One does not exclude the other.

I personally have a copy of my large data (movies, music and images) as those are basically read only. I have incremential data of other things AND a copy of the incremential data.

And I know what risks I take by having it all in the same house. Very few things I have off-site encrypted on two separate servers. That is about 20MB of data that is absolutely critical for me.

If I am able to figure out how to do it and what the risks are, they should be able to do so as well. Because had they invested that money in their ability to restore data, it would have saved a LOT of monies.

And paying out just atracks others to do the same (or even the same ones)

On an unrelated note, what is their IP address and email?

Re:Good to hear it works.

[UnknownSoldier]

This reminds me of a similar saying in the motorcycle world:

It is not a matter of IF you will wipe but WHEN you will wipe.

As a result we have the acronym: ATGATT: All the gear, all the time.
i.e. You don't wear gear for the 99.99%, but for that 0.01% of the time.

Bringing this back on top: It doesn't matter how fast you can do backups if your restore procedure is completely botched! You DID test it, right?

Re:Good to hear it works.

[afidel]

backups are not about the fact if you take backups, but how fast you restore WHEN you need to.

Amen to that, at job[-1] we had no problem hitting our backup windows but when we did a restore for a discovery request we found out that the interleving that allowed the tape drives to fly during backups made restores crawl to the point where our 48 hour and 72 hour SLAs were a joke. That led us to a disk to disk to tape solution which could restore files in minutes from the appliance and where if we had to reseed from tapes the restores were done to the appliance as one long streaming block which went at full LTO speeds. Best of all for critical systems the appliances even included the ability to act as an iSCSI target for the VMWare hosts so you could restore in place if the storage arrays blew up and you needed to get critical systems up an running ASAP.

Re:Solution

[Opportunist]

...said the lawyer.

The problem is that you can sue someone into oblivion (usually a ltd company that goes *poof* the moment you try to squeeze money from it) means jack shit when your whole administration grinds to a halt and you can't get anything done sensibly anymore, constituents get REALLY pissed at you and vote the other guy in next time.

Who then gets your job AND whatever they can squeeze from the husk. Well done. Really. *golfclap*

Re:The price of using Windows,

[sl3xd]

Nah, the time to switch to Linux was before Windows 10 started pushing upgrades which remove critical drivers.

In the past few weeks I've multiple fixed family & friend computers which were horked by Windows 10 Update deleting the SATA drivers, followed by input device drivers.

Who needs ransomware when Microsoft is bricking its user's computers?

So would disaster recovery have been worth it?

[Nkwe]

Clearly the city of Atlanta didn't have "proper" disaster recovery procedures in place. The interesting question is "Should they have?" From a pure financial point of view, would it have cost them more or less than $2.6 million to have put in place and regularly tested a disaster recovery procedure? I don't know the answer, but would be interested in hearing opinions. Sure, lots of people will say that "I can do backups for less than that", but an actual disaster recovery plan is way more than just doing backups. You have to test them and in the case of employee workstations you have to interrupt work. In the case of back end systems, even if they are redundant and highly available, certain kinds of restore operations will also interrupt work (an Active Directory restore for example if you are on a Microsoft platform, and whatever you are using for centralized authentication and configuration management for other platforms.) It would be interesting to see an analysis of the ongoing costs of disaster recovery plans (that can deal with a ransomware attack) vs the expected ongoing costs of such attacks.