The City of Atlanta spent more than $2.6 million on emergency efforts to respond to a ransomware attack that destabilized municipal operations last month. Attackers, who infected the city's systems with the pernicious SamSam malware, asked for a ransom of roughly $50,000 worth of bitcoin. (The exact value has fluctuated due to bitcoin's volatility.) Atlanta officials haven't said whether they paid the ransom, or even tried, but it seems that they may not have even had the chance; the attackers quickly took the payment portal offline, and left the city to fend for itself. So far, the recovery has been far more costly than the initial demand.
The Atlanta Department of Procurement lists eight emergency contracts initiated between Match 22 and April 2 with a total value of $2,667,328. The bulk of the expenditures relate to incident response and digital forensics, extra staffing, and Microsoft Cloud infrastructure expertise, presumably all related to clawing back the systems that the hackers had frozen. The city also spent $50,000 on crisis communications services from the firm Edelman, and $600,000 on incident response consulting from Ernst & Young.
'It can be very expensive, and defense is not an easy thing.'
Chris Duvall, The Chertoff Group
While the security and law enforcement communities generally discourage victims from paying ransoms—it'll only encourage them, the logic goes—it's sometimes not so clear cut. It complicates matters further that attackers intentionally set their ransom prices at a level they think victims can afford. They want to maximize how much they walk away with, while still offering a "bargain" to targets versus doing the work to rebuild systems and restore from backups. The US government "does not encourage paying a ransom to criminal actors," the FBI notes in a "Ransomware Prevention and Response"