[BreachExchange] One year after Atlanta's ransomware attack, the city says it's transforming its technology

Destry Winant destry at riskbasedsecurity.com
Tue Mar 26 10:10:56 EDT 2019


When Gary Brantley walked into his job as Atlanta’s new chief
information officer last October, he took the helm of an IT agency
still digging out from one of the highest-profile cyberattacks against
a U.S. target.

It had been about six months since the ransomware virus SamSam
unleashed itself on Atlanta’s municipal computer systems and networks,
wreaking havoc on nearly every part of the city’s government. Brantley
left behind a CIO position at the DeKalb County Public Schools to take
over the city’s IT at the request of Mayor Keisha Lance Bottoms. The
mayor, then eight months into her term, said at the time she hired
Brantley not just to supervise municipal IT, but also to prove her
administration’s “ability to run an efficient government.”

Brantley was handed a crisis. The SamSam virus infested nearly all of
Atlanta’s city agencies when it was detected last March, knocking out
court scheduling, online-bill payments and airport Wi-Fi, but it also
exposed deeper problems inside AIM, including a disorderly approach
toward security and a lack of collaboration with outside organizations
that might have helped stanch the bleeding. While many of the
public-facing systems were restored within a few weeks or months,
Brantley arrived tasked with the burden of not just finishing the
mop-up job, but overhauling the organization that allowed the
ransomware attack to happen in the first place.

“These were some major critical applications that had a lot of
sensitive data,” Brantley says. “You had financial systems, court
systems. You had [customer-relationship management] systems, the
service-desk systems that needed to be brought back up. Most
importantly, you had the data tied to those systems that needed to be
brought back, in some cases repopulated.”

To continue the recovery process — and to make his agency stronger —
Brantley says he’s instructed staff to focus on fundamental practices
like better password management and greater restrictions on access to
sensitive systems.

“The message was that we were going to get back to operational
basics,” he says. “We’re going to focus on doing the little things

The biggest target

Atlanta’s guard was down on March 22, 2018, when the SamSam virus
infected the city’s networks and encrypted at least one-third of its
applications. Municipal employees who attempted to log on to affected
systems were greeted with an anonymous demand for a six-bitcoin
payment — equal to about $51,000 at the time — in exchange for a key
that would remove the virus and allow city workers back into their

The infection spread far beyond court schedules and public Wi-Fi.
Elected officials and city employees reported losing years’ worth of
correspondence. Footage from dashboard-mounted cameras in police cars
was destroyed. Many legal files were similarly lost for several
months, but were eventually recovered.

Bottoms, who had just been inaugurated two months before the incident,
admitted in the ensuing weeks that she had not given much thought to
cybersecurity. But it quickly became her young administration’s top
priority, as the city started shelling out emergency contracts to IT
vendors and crisis communications specialists. By last August, the
city was prepared to spend up to $17 million to remedy the attack’s

Atlanta was one of more than 200 victims of the SamSam virus — it just
happened to be the biggest. First unleashed in January 2016 on a small
business in Mercer County, New Jersey, it was later used to attack
other companies, hospitals and eventually governments.

Federal prosecutors indicted two Iranian citizens Nov. 28, accusing
them of developing SamSam and using it to ransack vulnerable computer
networks and collect more than $6 million in ransom payments. Many
victims paid, including the city of Newark, New Jersey, which forked
over $30,000.

But the charges offer little resolution alongside the unlikelihood of
the United States retrieving two suspects from a country with which it
has no formal diplomatic relations. Instead, SamSam victims are left
to reflect on where they erred and how they can improve.

Migration and collaboration

A city auditor’s report published in January 2018, two months before
the ransomware attack, makes Atlanta look like a natural target. The
report excoriated the city’s cybersecurity practices and faulted AIM
for a relaxed approach that was driven by “ad hoc or undocumented”
processes. Inspectors found nearly 100 government servers running a
version of Windows that Microsoft stopped supporting in 2015 and as
many as 2,000 other “severe vulnerabilities” that turned up in monthly

Those shortcomings might’ve eased the SamSam virus’ way onto the
city’s network. Unlike other ransomware strains, which are typically
activated by links clicked on by unsuspecting recipients of phishing
emails, SamSam relies on brute-force attacks looking for weak or
default passwords.

Brantley says the attack has placed security at the front of every
decision AIM makes and also accelerated the replacement of many legacy

“The first order of business was to get the environment back up to
where it needed to be,” he says. “But the next phase has been to
establish a cybersecurity framework and put a renewed focus on
awareness, not only for [city] employees but for the people who are
doing the [IT] work on a day-to-day basis.”

Brantley credits the ransomware attack with accelerating the city’s
migration of many of its critical applications to a hybrid cloud
service, which he says has improved the city’s security. He also says
the incident has encouraged him to develop the city’s relationships
with the state and federal governments.

Though the FBI and Department of Homeland Security both assisted
Atlanta’s response to the ransomware attack, Brantley says those
partnerships had not been nurtured enough.

“I don’t think there was a true focus on it,” he says. “We really took
the time to focus on re-establishing those relationships. That’s
actually a goldmine. But also what’s really important is that our
relationships locally with the state, cross-collaboration with
bordering counties and local business has increased dramatically.”

Brantley says that web of collaboration carried the city through Super
Bowl LIII last month, when city, state and federal cybersecurity
officials staffed a network of at least nine operations centers during
the run-up to the big game.

While the Super Bowl went smoothly, Brantley admits the ransomware
attack’s impact looms over the city’s ongoing IT decisions.

“I think at the front of things, security — which it should’ve in the
past — has now become a focal point,” he says. “Going forward, we have
a security strategy at the front of everything we do, even if it’s
just conceptually. We’re still going to innovate, but we’ve started to
focus on having a secure operational environment and having that be
the foundation before we get into disruptive types of technology.”

Catering an emergency

If there is a playbook for bouncing back from a ransomware incident,
it might resemble the one the Colorado Office of Information
Technology developed last year when that state’s transportation agency
had its own run-in with the SamSam virus.

The Colorado Department of Transportation reported Feb. 21, 2018 that
about 2,000 of its computers had been encrypted by SamSam. Dozens of
IT workers spent long hours trying to contain the infection, but a
week in, the virus was still spreading and human logistics were
breaking down.

“We had 60 people on-site,” says Colorado CISO Deborah Blyth. “It was
up to me or the CTO or director of infrastructure to figure out how to
feed these people, and they were sick of pizza. And it was pulling me
away from activities I needed to be engaged in.”

So Blyth did something novel: She asked the Colorado Office of
Emergency Management to issue a disaster declaration treating the
ransomware attack like a wildfire or flood, opening up a host of
additional resources such as the Colorado National Guard’s
cybersecurity unit, and freeing her from pizza-delivery duties.

“When we engaged Office of Emergency Management, they have a logistics
team and they were coordinating catering,” she says.

The emergency declaration also created a more orderly process for
containing and eradicating the malware, which allowed CDOT to be back
at 80-percent functionality a month after the attack.

Colorado was the first state to issue a statewide emergency because of
a cyberattack, but Blyth expects it won’t be the last.

“I think it will become more normal,” she says. “It’s so important to
make the information security community aware that in times of
cyber-crisis that there’s a whole crisis team that exists, and
comforting to emergency management that they don’t have to be cyber
experts, but their methodology still applies.”

State and local governments need to develop collaborative plans for
responding to ransomware and other cyberattacks, says Bradford Willke,
a DHS cybersecurity official.

“One of the measures of success is that it comes down to having an
action plan ahead of time,” says Willke, whose division assists state
and local governments with cybersecurity needs. “Atlanta’s one
episode. The planning side is not just the IT side of the shop. It is
working with the enterprise side, the business side of local
governments to determine how you want to coordinate on issues like
ransomware, to evaluate high-value assets, priority restoration and
even if they’re going to accept coordination with external partners.”

Willke’s agency, the Cybersecurity and Infrastructure Security Agency,
offers local governments assistance through the Multi-State
Information Sharing and Analysis Center, run by the nonprofit Center
for Internet Security, as well as its own Computer Emergency Readiness
Team, or US-CERT. But Willke says that many local governments hit by
ransomware can be sheepish to call in for federal assistance because
of bureaucratic and legal hurdles, which means those attacks are

“It’s still happening,” he says. “I think maybe the difference in year
over year is just the presence of resources we have.”

A new cast

Back in Atlanta, Brantley says he’s focused on building a governance
structure that embraces more collaboration like the kind that was on
display for the Super Bowl.

“From a culture perspective, we’re looking at breaking down a lot of
silos,” he says.

Atlanta Information Management’s leadership has also been entirely
recast. In his first few months, Brantley hired Tye Hayes, a former
deputy CIO for the city’s education department, as his chief
technology officer, and William Wade III, a longtime private-sector
information security executive, as Atlanta’s new CISO. A new citywide
IT management plan is expected next month.

While expensive to fix, the 2018 ransomware attack may also be the
start of a longterm overhaul for Atlanta’s information security
policies, Brantley says.

“I’m not new to transformation,” he says. “I lived here and I didn’t
like it. [The mayor] wants us to emerge at the end of the front of the
cybersecurity world as it relates to government. We’ll always continue
to fight and push forward.”

More information about the BreachExchange mailing list