Anatomy of a Breach

Anatomy of a Breach: City of Atlanta — The $17 Million Ransomware Attack That Started with a $51,000 Demand

> series: anatomy_of_a_breach —— part: 112 —— target: city_of_atlanta —— ransom: $51,000 —— recovery_cost: $17,000,000<span class="cursor-blink">_</span>_

Hedgehog Security 30 April 2018 13 min read
ransomware samsam atlanta local-government city-infrastructure recovery-cost series
Breach #112

$51,000 ransom. $17 million to recover. The economics of not paying.

On 22 March 2018, SamSam ransomware encrypted systems across multiple City of Atlanta departments, demanding approximately $51,000 in Bitcoin (6 BTC) for the decryption keys. The attack affected police records, court systems, utility billing, and internal communications. Officers wrote incident reports by hand. Residents could not pay water bills or parking tickets online. The municipal court could not process cases. Years of police dashboard camera footage was reportedly destroyed.

Atlanta chose not to pay the ransom. The recovery cost — including emergency IT contracts with Secureworks and other firms, new hardware, software licences, and consulting fees — exceeded $17 million. The SamSam operators — later identified as two Iranian nationals — had specifically targeted the city after reconnaissance revealed vulnerable, internet-facing Remote Desktop Protocol (RDP) services. The US Department of Justice indicted the operators in November 2018, charging them with attacks against over 200 victims including hospitals, municipalities, and public institutions.

SamSam's Methodology
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

RDP. Brute force. Targeted deployment. Maximum damage.

SamSam differed from mass-distributed ransomware like WannaCry in a critical way: it was manually deployed. The operators identified vulnerable internet-facing RDP services, brute-forced the credentials, gained access to the network, performed reconnaissance to identify critical systems and backups, and then deployed the ransomware at a time calculated for maximum impact — typically late at night or over weekends. This targeted approach made SamSam far more devastating per victim than automated ransomware.

RDP: The Front Door
SamSam's primary entry vector was internet-facing RDP — the same remote access protocol that should never be exposed to the internet without MFA, VPN, or other protective controls. <a href="/cyber-essentials">Cyber Essentials Danzell</a> mandates MFA on all remote access. Our <a href="/penetration-testing/infrastructure">infrastructure testing</a> identifies exposed RDP services.
$51K Ransom vs $17M Recovery
The ratio — $17 million in recovery costs versus a $51,000 ransom demand — illustrates the economics of ransomware. While paying is not recommended (it funds further attacks and provides no guarantee), the cost of not paying underscores the need for prevention and preparation. Tested backups and incident response plans dramatically reduce recovery costs.
Local Government as Target
Atlanta was not unique — SamSam targeted over 200 municipalities, hospitals, and public institutions. <a href="/blog/sector-under-the-microscope-local-government">UK local government</a> faces the same risk: legacy systems, limited IT budgets, and internet-facing services create ideal conditions for targeted ransomware. <a href="https://www.socinabox.co.uk/sectors/local-councils">SOC in a Box for Local Government</a> provides the monitoring these organisations need.
Backups Targeted
SamSam operators specifically sought out and encrypted or deleted backup systems before deploying the ransomware payload — ensuring that victims could not recover without paying. Immutable, offline backups that cannot be reached from the production network are the only reliable defence. Our <a href="/penetration-testing/infrastructure">infrastructure testing</a> validates backup isolation.
Lessons for UK Local Government

Atlanta's lesson applies directly to UK councils.

The City of Atlanta attack is directly relevant to UK local government: similar legacy infrastructure, similar budget constraints, similar internet-facing services. For UK councils, the defence requires: removing RDP from the internet (or protecting it with MFA and VPN), maintaining tested offline backups, deploying continuous SOC monitoring, and maintaining incident response capability. Cyber Essentials certification addresses all of these baseline controls.

Local Government Ransomware Defence

Atlanta: $51K ransom, $17M recovery. Could your council survive the same?

<a href="/cyber-essentials">Cyber Essentials</a> mandates MFA on remote access. <a href="/penetration-testing/infrastructure">Infrastructure testing</a> identifies exposed RDP. <a href="https://www.socinabox.co.uk/sectors/local-councils">SOC in a Box for Local Government</a> monitors 24/7.

Commission a Local Government Assessment Next: GDPR Comes Into Force
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 28 February 2026

Anatomy of a Breach: BridgePay and University of Mississippi Medical Center — Payment Systems and Patient Care Both Disrupted by Ransomware

Breach #206. February 2026 saw ransomware disrupt two critical services. BridgePay — a payments platform serving city governments and municipalities — was hit by ransomware that disrupted payment processing for local government customers across the US, with systems not fully restored until 28 February. The University of Mississippi Medical Center was forced to close clinics after ransomware disabled IT systems and electronic health records, requiring clinicians to revert to manual downtime procedures for patient care. The clinics reopened on 2 March. Both incidents demonstrated that ransomware continues to target the systems that people depend on most — government payments and healthcare.

bridgepay ransomware
13 min read
Anatomy of a Breach 31 October 2020

Anatomy of a Breach: Hackney Council — A London Borough Devastated by Ransomware for Months

Breach #142. In October 2020, the London Borough of Hackney was hit by a serious cyber attack — later confirmed as Pysa ransomware — that devastated the council's IT systems and disrupted services to approximately 280,000 residents for months. Housing benefit payments were delayed, planning applications could not be processed, land registry searches stalled, and council tax records were inaccessible. The full recovery took over two years. The ICO subsequently fined Hackney Council £120,000. The attack was the most severe ransomware incident to hit a UK local authority.

ransomware hackney-council
13 min read
Anatomy of a Breach 30 June 2019

Anatomy of a Breach: Baltimore — The Second US City Brought Down by Ransomware, Still Using EternalBlue

Breach #126. On 7 May 2019, the City of Baltimore was hit by RobbinHood ransomware — the second major US city after Atlanta to be devastated by ransomware. The attack encrypted city systems and demanded 13 Bitcoin (approximately $76,000). Baltimore refused to pay. The recovery cost exceeded $18 million. Investigators found that EternalBlue — the NSA exploit leaked in April 2017, patched in March 2017 — was used to spread the ransomware through Baltimore's network. Two years after WannaCry, two years after the MS17-010 patch, a major US city was still running unpatched systems vulnerable to EternalBlue.

ransomware baltimore
13 min read
All Posts Get in Touch