Atlanta Ransomware Attack (A) Custom Case Solution & Analysis

Evidence Brief: Atlanta Ransomware Attack

Financial Metrics

Ransom Demand: 6 Bitcoins per computer or approximately 51000 dollars for a global decryption key.
Estimated Recovery Cost: Initial estimates rose from 2 million dollars to over 17 million dollars in total expenditures.
IT Budget Context: The city historically underfunded IT infrastructure, leading to 2000 identified vulnerabilities and 144 server patches missing.
Departmental Impact: 5 out of 13 city departments suffered significant encryption of data and systems.

Operational Facts

Scale of Infection: Over 2000 city computers encrypted by SamSam ransomware on March 22, 2018.
Service Disruptions: Public facing systems including the municipal court, water bill payments, and parking ticket applications went offline.
Data Integrity: The attackers used RSA-2048 encryption, making manual decryption without keys mathematically impossible.
Infrastructure State: The city relied on legacy systems with a decentralized IT management structure that slowed centralized response.

Stakeholder Positions

Mayor Keisha Lance Bottoms: Newly elected and focused on transparency while balancing public safety against fiscal responsibility.
Daphne Rackley (Interim CIO): Responsible for technical containment and advising the executive office on the feasibility of recovery.
Federal Bureau of Investigation (FBI): Recommended against paying the ransom to avoid incentivizing future criminal activity.
Atlanta Citizens: Experienced direct loss of services and expressed concern over the safety of personal data stored in city databases.

Information Gaps

Backup Viability: The case does not specify the exact percentage of encrypted data that existed in offline, uncorrupted backups at the moment of the attack.
Attacker Reliability: No data exists within the case to verify if the SamSam group had a history of actually providing functional keys after payment.
Insurance Coverage: The specific limits of the city cyber insurance policy are not detailed in the evidence.

Strategic Analysis

Core Strategic Question

The city must decide whether to pay a nominal ransom for uncertain data recovery or invest millions in a total system rebuild to ensure future resilience.

Structural Analysis

A Stakeholder Impact Analysis reveals that the short term cost of payment is dwarfed by the long term risk of moral hazard and repeat targeting. While the ransom is only 51000 dollars, paying signals that Atlanta is a soft target with weak backups. The Value Chain Analysis of city services shows that public safety and revenue collection are the primary nodes of failure. Relying on an external criminal actor to restore these nodes is a strategic dependency that the city cannot afford.

Strategic Options

Option 1: Refuse Payment and Rebuild. This involves a complete overhaul of the IT environment. Rationale: Eliminates the moral hazard and uses the crisis to force necessary capital investment. Trade-off: Extremely high cost and months of service disruption.
Option 2: Pay the Ransom. Rationale: Potential for immediate restoration of critical services at a fraction of the rebuild cost. Trade-off: No guarantee of decryption and high reputational risk for the new administration.
Option 3: Selective Recovery. Rationale: Rebuild critical public safety systems while attempting to negotiate or pay for specific keys for non-critical data. Trade-off: Complexity in execution and likely rejection by the attackers.

Preliminary Recommendation

The city should refuse to pay the ransom. The 51000 dollar demand is a distraction from the 17 million dollar reality of systemic neglect. Paying the ransom does not fix the 2000 vulnerabilities that allowed the entry. Atlanta must leverage this crisis to modernize its infrastructure and migrate to a more secure, centralized cloud architecture.

Implementation Roadmap

Critical Path

Phase 1: Containment and Isolation (Days 1 to 5). Disconnect all infected nodes to prevent lateral movement of the ransomware.
Phase 2: Priority Service Restoration (Days 6 to 30). Rebuild municipal court and water billing systems using clean backups or new cloud instances.
Phase 3: System Hardening and Migration (Days 31 to 90). Implement multi-factor authentication and move critical data to managed service providers.

Key Constraints

Technical Debt: The sheer volume of legacy software makes rapid migration difficult and prone to integration errors.
Talent Scarcity: The city lacks the internal cybersecurity expertise to manage a recovery of this scale without expensive external consultants.
Budgetary Friction: Diverting 17 million dollars from other city projects requires emergency legislative approval and public transparency.

Risk-Adjusted Implementation Strategy

The plan assumes that 30 percent of the encrypted data is permanently lost. The strategy focuses on functional restoration rather than data perfection. By prioritizing the operational capacity of the police and courts, the city mitigates the most severe public safety risks while accepting the slower recovery of administrative archives.

Executive Review and BLUF

Bottom Line Up Front

Atlanta must reject the ransom demand. The 51000 dollar payment is an insignificant sum that offers no guarantee of system integrity and fails to address the underlying IT insolvency. The city should immediately commit to the 17 million dollar recovery plan. This investment is not a cost of the attack but a deferred payment for a decade of infrastructure neglect. Speed in communication and transparency with the public will be the primary drivers of political survival for the administration.

Dangerous Assumption

The analysis assumes that the city can survive a 90 day disruption of core revenue services without a total collapse of public trust or a credit rating downgrade.

Unaddressed Risks

Secondary Extortion: The attackers may have exfiltrated sensitive citizen data before encryption, leading to a second wave of threats.
Litigation Risk: Citizens or employees whose data was compromised may file class action lawsuits against the city for negligence.

Unconsidered Alternative

The team did not fully explore the possibility of a public-private partnership with local tech giants to accelerate the recovery through pro-bono engineering support and temporary infrastructure hosting.