As some Atlanta city employees finally get the OK to turn their computers back on, it comes after a whirlwind of confusion that all stemmed from a cyberattack just days before.
Now, sources with knowledge of the Atlanta hack say the dark web communication portal between the ransomware attackers and the city has been taken down. 11Alive confirmed the portal formally active on the dark web no longer exists. That means any opportunity to pay the ransom has closed.
11Alive reached out to the City of Atlanta for comment Tuesday afternoon, however, they have refused comment.
"Just because a ransom wasn't paid, doesn't mean that the means of doing it has gone away. We will continue to see this evolution of attacks and then how to battle those attacks," Patrick Kelley, Chief Technology Officer with Critical Path Security said.
Atlanta isn't the only city that has been presented with a pressing question that often circles ransomware: whether to pay up or try to fix the problem themselves.
Cities and even state government agencies hit by the attack, which spreads from computer to computer encrypting files and demanding bitcoin payment, have had different responses with varied success.
Even within Georgia, cities like Hinesville have been faced with the question. It's unclear there whether or not they paid up after the attack first surfaced on Feb. 20. But as of March 19, they were still feeling the impact - almost a full month later.
"Once ransomware lands on a machine, if you don't have the key to decrypt those files, they're effectively gone," Kelley said. "The math and the effort required computationally to break that crypto is just not available. So they would wipe those environments entirely and go from there."
Other cities such as Farmington, New Mexico decided to rebel against the cyberattackers and didn't pay up the $35,000 extortion. Luckily for them, they were able to recover files without a decryption key.
Meanwhile, in Leeds Alabama, city officials opted to pay $12,000 to regain control of their computers. Whether or not the information was priceless, they were almost left in a lurch when the decryption key didn't initially work. Ultimately they were able to get back into their computers.
But these attacks haven't just been limited to cities. The Chester County School District in South Carolina refused to pay up. They said no data was compromised and they were able to find workarounds to get networks back online.
The same can't be said for Mecklenburg County, North Carolina. They, like many, refused to pay $23,000. The result: Six days after they were hacked. Only 17 of their 200 affected systems had been cleared for use.
Perhaps the most unlucky of the government agency attacked was the Colorado Department of Transportation. As they were recovering from a hack in early March, they were hit by ransomware a second time.
The most recent attacks are part of what appears to be a growing trend hitting municipalities and even hospitals across the U.S. that has only increased since the first of the year according to HealthcareITNews.com. The attack itself involves the SamSam worm.
According to the site, hackers using this method are known to scan the internet for open RDP connections and break into networks - sometimes through brute force on weak passwords. The goal of the hackers is to spread their control across other computers on the network.
The site adds that SamSam is effective but not sophisticated and spreads through the web and through Java apps as well as web-based applications. Once its in a system it can spread without input from an employee.
