Atlanta’s top officials holed up in their offices on Saturday as they worked to restore critical systems knocked out by a nine-day-old cyber attack that plunged the Southeastern U.S. metropolis into technological chaos and forced some city workers to revert to paper.
On an Easter and Passover holiday weekend, city officials labored in preparation for the workweek to come.
Police and other public servants have spent the past week trying to piece together their digital work lives, recreating audit spreadsheets and conducting business on mobile phones in response to one of the most devastating “ransomware” virus attacks to hit an American city.
Three city council staffers have been sharing a single clunky personal laptop brought in after cyber extortionists attacked Atlanta’s computer network with a virus that scrambled data and still prevents access to critical systems.
“It’s extraordinarily frustrating,” said Councilman Howard Shook, whose office lost 16 years of digital records.
One compromised city computer seen by Reuters showed multiple corrupted documents with “weapologize” and “imsorry” added to file names.
Ransomware attacks have surged in recent years as cyber extortionists moved from attacking individual computers to large organizations, including businesses, healthcare organizations and government agencies. Previous high-profile attacks have shut down factories, prompted hospitals to turn away patients and forced local emergency dispatch systems to move to manual operations.
Ransomware typically corrupts data and does not steal it. The city of Atlanta has said it does not believe private residents’ information is in the hands of hackers, but they do not know for sure.
City officials have declined to discuss the extent of damage beyond disclosed outages that have shut down some services at municipal offices, including courts and the water department.
Nearly 6 million people live in the Atlanta metropolitan area. The Georgia city itself is home to more than 450,000 people, according to the latest data from the U.S. Census Bureau.
City officials told Reuters that police files and financial documents were rendered inaccessible by unknown hackers who demanded $51,000 worth of bitcoin to provide digital keys to unlock scrambled files.
“Everything on my hard drive is gone,” City Auditor Amanda Noble said in her office housed in Atlanta City Hall’s ornate tower.
City officials have not disclosed the extent to which servers for backing up information on PCs were corrupted or what kind of information they think is unrecoverable without paying the ransom.
Noble discovered the disarray on March 22 when she turned on her computer to discover that files could not be opened after being encrypted by a powerful computer virus known as SamSam that renamed them with gibberish.
“I said, ‘This is wrong,'” she recalled.
City officials then quickly entered her office and told her to shut down the computer before warning the rest of the building.
Noble is working on a personal laptop and using her smartphone to search for details of current projects mentioned in emails stored on that device.
Not all computers were compromised. Ten of 18 machines in the auditing office were not affected, Noble said.
Atlanta police returned to taking written case notes and have lost access to some investigative databases, department spokesman Carlos Campos told Reuters. He declined to discuss the contents of the affected files.
“Our data management teams are working diligently to restore normal operations and functionalities to these systems and hope to be back online in the very near future,” he said. By the weekend, he added, officers were returning to digital police reports.
Meanwhile, some city employees complained they have been left in the dark, unsure when it is safe to turn on their computers.
“We don’t know anything,” said one frustrated employee as she left for a lunch break on Friday.
Like City Hall, whose 1930 neo-Gothic structure is attached to a massive modern wing, the city’s computer system is a combination of old and new.
“One of the reasons why municipalities are vulnerable is we just have so many different systems,” Noble said.
The city published results from a recent cyber-security audit in January, and had started implementing its recommendations before the ransomware virus hit. The audit called for better record-keeping and hiring more technology workers.
Councilman Shook said he is worried about how much the recovery will cost the city, but that he supports funding a cyber-security overhaul to counter future attacks.
For now his staff are temporarily sharing one aging laptop.
“Things are very slow,” he said. “It was a very surreal experience to be shut down like that.”
Mayor Keisha Lance Bottoms, who took office in January, has declined to say if the city paid the ransom ahead of a March 28 deadline mentioned in an extortion note whose image was released by a local television station.
Shook, who chairs the city council’s finance subcommittee, said he did not know whether the city is negotiating with the hackers, but that it appears no ransom has been paid to date.
The Federal Bureau of Investigation, which is helping Atlanta respond, typically discourages ransomware victims from paying up.
FBI officials could not immediately be reached for comment. A Department of Homeland Security spokesman confirmed the agency is helping Atlanta respond to the attack, but declined to comment further.
Hackers typically walk away when ransoms are not paid, said Mark Weatherford, a former senior DHS cyber official.
Weatherford, who previously served as California’s chief information security officer, said the situation might have been resolved with little pain if the city had quickly made that payment.
“The longer it goes, the worse it gets,” he said. “This could turn out to be really bad if they never get their data back.” (Additional reporting by Jim Finkle.)