ATLANTA - In a story first reported by 11Alive, city of Atlanta computers have been cyber attacked by ransomware that has encrypted some personal and financial data.
"We don't know the extent of the attack," said Atlanta Mayor Keisha Lance Bottoms in a Thursday afternoon press conference.
New Atlanta COO Richard Cox said public safety, water and airport operations departments have not been affected.
Officials also said Thursday afternoon they are working with the FBI, U.S. Department of Homeland Security, Cisco cybersecurity officials and Microsoft to determine what information has been accessed and how to resolve the situation.
Bottoms said everyone who has done business with the city is potentially at risk, and advised businesses and consumers to check their bank accounts.
"City payroll has not been affected," Cox said, "and we have not determined that City Hall will need to be closed on Friday."
Multiple sources confirmed to 11Alive earlier on Thursday that various city systems have been impacted by the ransomware attack.
According to a statement from the city, its computers are "currently experiencing outages on various internal and customer facing applications, including some applications that customers use to pay bills or access court-related information.
"At this time, our Atlanta Information Management team is working diligently with support from Microsoft to resolve the issue. We are confident that our team of technology professionals will be able to restore applications soon. Our city website, Atlantaga.gov, remains accessible and we will provide updates as we receive them.”
According to the FBI, the bureau is aware of the situation and is "coordinating with the city of Atlanta to determine what happened."
A screenshot sent to 11Alive from a city employee and analyzed by technical expert and Kennesaw State University professor Andrew Green, shows a bitcoin demand of $6,800 per unit, or $51,000 to unlock the entire system.
Emails have been sent to city employees in multiple departments telling them to unplug their computers if they notice suspicious activity. Professor Green said that directive and the note itself is indicative of a serious ransomware attack.
One expert said based on the language used in the message, the attack resembles the "MSIL" or "Samas" (SAMSAM) ransomware strain that has been around since at least 2016.
According to the U.S. Department of Justice, the SAMSAM strain was used to compromise the networks of multiple U.S. victims, including 2016 attacks on healthcare facilities that were running outdated versions of the JBoss content management application.
SAMSAM exploits vulnerable Java-based Web servers, using open-source tools to identify and compile a list of hosts reporting to the victim’s active directory. The actors then use psexec.exe to distribute the malware to each host on the network and encrypt most of the files on the system. The actors charge varying amounts in Bitcoin to provide the decryption keys to the victim.
Typically, if the ransomware virus is not intercepted before it takes control of systems, the user cannot gain access. The hackers demand money in exchange for a decryption key. Tech experts tell us even if that ransom is paid, the key often doesn't work. Sometimes, the only way to regain access is to rebuild the entire system.
MARTA experienced a technical outage this morning that prevented their breeze cards from working. But, a spokesperson tells 11Alive their computer problems were unrelated and were due to a connectivity issue.
Ransomware attacks on cities and companies are becoming more common and damaging.
Earlier this year, AL.com reports the city of Leeds, Alabama paid $12,000 in bitcoin, a crypto currency, after their computer systems were taken over. The paper reports that the city was locked out of their systems and were given instructions on sending $12,000 worth of bitcoin to remove the lock.