ATLANTA – City officials stressed Friday afternoon they are ready for the huge crowds expected throughout the city in the wake of a cyberattack on city computers.
Atlanta Mayor Keisha Lance Bottoms asked citizens and businesses to be patient as the city works through the aftermath of the ransomware attack.
"We want to make sure we don't put a Band-Aid on a gaping wound," Bottoms said, reminding anyone who works for, or has done business with the city, to continue watching their accounts closely.
In a story first reported by 11Alive, city of Atlanta computers have been cyber attacked by ransomware that has encrypted some personal and financial data.
Bottoms and city officials stressed that police, 911 and airport operations have not been impacted by the attack. However, Hartsfield-Jackson Atlanta International Airport has taken precautions to ensure computers at the world's busiest air terminal remain unaffected.
According to airport spokesman Reese McCranie, the airport has taken down its free public WiFi and also removed some of its website’s functionality that lists flight information and wait times.
City employees were warned on Friday not to turn on their computers until the situation is resolved. According to the city, the water is still flowing without impact and the 911 systems are fully functional because they’re radio-based, even though police are having to write paper reports.
Public safety cameras and video systems are also working, as the city prepares for more March Madness games at Philips Arena and the March for Our Lives event on Saturday. Atlanta COO Richard Cox also stressed the city is prepared for the weekend's events.
City officials also said Friday they don't know who is behind the attack, nor do they know if the attack is still ongoing.
Several major events are already underway throughout the city, including March Madness NCAA basketball games, the International Auto Show, and a Saturday March for Life.
Officials also said Thursday they are working with the FBI, U.S. Department of Homeland Security, Cisco cybersecurity officials and Microsoft to determine what information has been accessed and how to resolve the situation.
According to the FBI, the bureau is aware of the situation and is "coordinating with the city of Atlanta to determine what happened."
A screenshot sent to 11Alive from a city employee and analyzed by technical expert and Kennesaw State University professor Andrew Green, shows a bitcoin demand of $6,800 per unit, or $51,000 to unlock the entire system.
Emails have been sent to city employees in multiple departments telling them to unplug their computers if they notice suspicious activity. Professor Green said that directive and the note itself is indicative of a serious ransomware attack.
One expert said based on the language used in the message, the attack resembles the "MSIL" or "Samas" (SAMSAM) ransomware strain that has been around since at least 2016.
According to the U.S. Department of Justice, the SAMSAM strain was used to compromise the networks of multiple U.S. victims, including 2016 attacks on healthcare facilities that were running outdated versions of the JBoss content management application.
SAMSAM exploits vulnerable Java-based Web servers, using open-source tools to identify and compile a list of hosts reporting to the victim’s active directory. The actors then use psexec.exe to distribute the malware to each host on the network and encrypt most of the files on the system. The actors charge varying amounts in Bitcoin to provide the decryption keys to the victim.