When the city of Atlanta came under attack by the SamSam ransomware on March 22nd, it was already too late—there was no emergency plan. By April, the city had spent nearly $2.6M in recovery and forensic efforts along with other associated costs. Recent news from the BBC reports the city has invested an additional $9.5M to finance its recovery efforts. The original ransom request was $50K.
When it comes to an attack of this magnitude, the decision is not as binary as you may think. Consider: 1. Taxpayer dollars spent on what could have been prevented. 2. Atlanta's other urgent needs that were put on the back burner to address these security efforts. 3. Implications of paying out the ransom. This was a complex matter and officials decided to go the hard way.
What’s important to learn from Atlanta's response is vigilance and preparedness. Unfortunately this was not the first incident they faced related to information security. In April 2017, several machines in their networks were infected with the Double-Pulsar backdoor via EternalBlue vulnerability exploitation. This should have raised some eyebrows. It also revealed SamSam ransomware does not operate based on social engineering (deception of company/entity insiders). The hackers carefully select their victims and exploit vulnerabilities found in their public-facing servers in order to dig their way into the network and move laterally to infect as many systems as they can.
There was no direct human factor triggering the ransomware. Twice in consequent years their systems proved vulnerable and those vulnerabilities were exploited. The tools required to exploit a server from the outside and the process of gaining privileges could have been detected before the ransomware was spread at that magnitude.
In conclusion, the millions of dollars Atlanta invested in their recovery efforts should provide solid security posture in the future but it could have amounted to much less if there had been a solid prevention and monitoring plan set in place.