Last month, Atlanta's city government was hit with a ransomware attack that caused courthouse documents and services like payment processing to become inaccessible. The ransom demand was approximately $51,000 but according to the city's Department of Procurement, Atlanta has spent much more than that on efforts to rectify the situation. It appears that firms Secureworks and Ernst & Young were paid $650,000 and $600,000, respectively, for emergency services while Edelman was paid $50,000 for crisis communication services. Overall, the funds seemingly applied to the ransomware attack response add up to approximately $2.7 million.
Atlanta .gov ransomware attack costs pic.twitter.com/xgQEpbeZPZ
— Ryan Naraine (@ryanaraine) April 23, 2018
It's unclear whether Atlanta paid or tried to pay the ransom, but evidence suggests city officials didn't attempt to or were unsuccessful. The affected services are still not fully up and running and ahead of the ransom deadline, the attackers took down the communication portal that would have been used to pay the fee.
The question of whether to pay a ransom or not isn't always an easy one to answer. Agencies like the FBI typically discourage paying these types of ransoms, with one reason being it might encourage attackers to keep doing what they're doing. But not everyone agrees with that reasoning. "Refusing to pay a ransom is unlikely to demotivate cybercriminals from conducting further attacks, as they will always find someone else to pay," Ilia Kolochenko, CEO of cybersecurity firm High-Tech Bridge, told SecurityWeek.
But another city's chief information security officer told SecurityWeek that there are other reasons not to pay up. "Unless paying the ransom provided details of how they were breached, what would it really get them?" he said. "Firstly, they don't know if they would actually get the decrypt keys. Secondly, they don't know if they would simply get hit again. And thirdly, it would only encourage more of the same kind of action." Relatedly, Secureworks has said that some groups hit with this same type of ransomware were asked to pay more after paying the initial amount. However, what's pretty clear is that Atlanta should have done more to protect its systems ahead of the attack. "The real lesson," said Kolochenko, "is for probably 10 to 20 percent of the cost of the emergency support, they could have brought in the same people to help with the same issues prior to the incident."