Incident Response

Ransomware and the City: Not so Sexy

Ransomware cityOn March 22nd, my hometown, the Atlanta Municipal government was targeted by a ransomware cyberattack that turned the city back by decades. Out of the city’s thirteen departments, five departments have been forced to work manually, with police officers filing reports by hand and city workers reporting via time clocks and manual time sheets. For more than 6 days after the attack shut down the city’s online systems officials were still struggling to keep the government running without many of their digital processes and services. My first thought is “really?”, however this is not the first time that local government has been hit with a ransomware breach—the suburbs of Dallas and Birmingham, Alabama have been hit, as well as well as the Colorado Department of Transportation as well as those of San Francisco and Sacramento—but Atlanta is home. It is different when it hits home. Atlanta is the largest American system to be hit by ransomware. Close to 6 million people live in the Atlanta metropolitan area, with the city home to over 450,000 people. How could Atlanta be taken to its knees? Frankly – just like any other large organization has been.

Atlanta’s Mayor described it as being caught in a “hostage situation”, however others, such as contributing editor to The Atlantic, Ian Bogost, describe the attack as a “massive inconvenience”. Bogost also writes, “As more urban infrastructure, including smart-city systems, go online, cities and their citizens should be terrified by the Atlanta ransomware hack. But for now, it isn’t even really considered an infrastructural catastrophe.” In actuality, the city was blocked from processing court cases and warrants. Many residents are still not able to pay tickets or utility bills. This may seem like a minor inconvenience, but for some residents it may mean not being able to start a new job or a delay for a reimbursement of a large expense. As Ian Bogost rightly notes, the impacts of such cyber-attacks may seem unremarkable, but they can also have serious consequences—which will only get more severe as cities and their constituents become more and more reliant on technology. Although emergency systems were not effected in the Atlanta attack, Baltimore lost it’s 911 system in a recent cyberattack that left it without its computer-aided dispatch system for a weekend. “I just want to make the point that this is much bigger than a ransomware attack,” said Atlanta Mayor Keisha Lance Bottoms. “This is really an attack on our government, which means it’s an attack on all of us.”


As a resident of Atlanta – I couldn’t agree more!


The perpetrator of the Atlanta attack is a hacker group called SamSam, prevalent among ransomware attack groups and known for picking targets that are likely to pay the ransom. SamSam typically requests about $50,000 in bitcoin, as it did in the case of Atlanta, and is believed to have already extorted 1 million US dollars this year from about 30 organizations. They work by locking up targets files with encryption and replacing the files names with “imsorry” and “weapologize” and provide the target a week to pay the ransom before making the files permanently inaccessible.

So Why Hackers are Increasingly Targeting Local Governments

The Atlanta attack, as well as the many listed in the opening, points to a larger issue: hackers are increasingly targeting local governments. SamSam reportedly targets organizations that have legacy equipment and weak security – i.e they go after the easier targets. While ransomware has frequently targeted healthcare, the healthcare industry’s bolstering of security has led hackers to seek new targets. Governments are seen as a particularly promising target because, like the healthcare industry, they can ill-afford system failures and down time—as they manage many public-facing web services and employ a lot of people who need continuous access. They also tend to be more vulnerable than private businesses in terms of technology. As of 2016, 38% of local governments were reliant on technology at least a generation old and less than half had purchased cyber insurance. Less than half of governments polled in 2016 have a written cyber security policy and only 34% have a written policy for breach recovery. These organizations need to prepare for how they handle such events, especially as they use tax payer money to recoup from these events. Today, more and more organizations are opting to pay the ransomware fee, with 48% of victims paying.

How to Move Forward


Constituents are dependent on their local government for many things, and as governments become more and more reliant on computer systems (think Smart City) they need to ensure that they don’t become even more vulnerable to cyberattacks such as these. We will likely see more attacks that don’t just hit one system i.e. transportation or 911, but multiple systems such as in the Atlanta attack. So what can be done? A lot!

  1. Governments need to have written cyber security policies and breach recovery plans.
  2. Established back-up and recovery plans that are implemented and followed can go miles in recovering systems without having to succumb to bad actor requests for ransom.
  3. Systems need to be up-to-date and not antiquated—as they too often are in the case of local government. Upgrades can help protect agencies from bad actors.
  4. Government employees need to be trained to spot phishing and smishing attempts. Kudos to my home town of #ATL as Atlanta will be training its workers with anti-malware services, which is a step in the right direction. Training must be continual.
  5. And, sensitive communications should occur through secure mediums like secure messaging platforms such as Vaporstream.


We live in an exciting time where the use of computer systems means greater efficiency for many. The digitization of government and business in general means more efficiency and better service to those we serve. However, as governments become more reliant on technology, cyber security must be priority number one in ensuring that your services remain operational and the public you serve, and their data, remains safe.

To find out how Vaporstream can secure communications while ensuring compliance contact us or see Vaporstream in Action.


Contributor: Kristi Perdue Hinkle