Atlanta ransomware attack destroyed years of police dashcam video

In March, a SamSam ransomware attack brought the city of Atlanta to its knees.

Six days after the city’s online systems were shut down on 22 March, Atlanta was still rescheduling court dates, police and other employees were still writing out reports by hand, and residents couldn’t go online to pay their water bills or parking tickets.

The attackers demanded ransom of what was then roughly $52,000 worth of bitcoin. It’s never a bargain to pay crooks, and there’s no guarantee that if you do, they won’t come back for more. But the ransom pales in comparison to the $2.6 million worth of emergency contracts the city initiated to claw back its systems.

After all that, months later, the pain just keeps coming. On Friday, Atlanta Police Chief Erika Shields said that years worth of police dashcam video has been lost for good and can’t be recovered.

Shields told The Atlanta Journal-Constitution and Channel 2 Action News that her department hasn’t lost access to investigatory files or other crucial evidence: access to these files was quickly restored after the attack, she said.

But loss of dashcam footage could compromise an undetermined number of investigations, including those concerned with driving under the influence (DUI) cases.

Shields downplayed the importance of dashcam video, saying that there are other forms of evidence that can help them make cases:

I’m not overly concerned, I’m really not. Because that’s a tool, a useful tool, for us. But the dashcam doesn’t make the cases for us. There’s got to be the corroborating testimony of the officer. There will be other pieces of evidence. It’s not something that makes or breaks cases for us.

But The AJC talked to legal experts and police officers who disagreed. They said that yeah, actually, that footage really is pretty crucial in certain cases.

Attorney Manny Arora told the newspaper that the loss will “most likely favor the state a little bit more because now it’s going to be the officer’s word about what happened on the street versus what the defendant has to say.”

Ken Allen, an Atlanta police union official and a retired investigator, also told the news outlet that video evidence can help determine if an officer is at fault in cases that involve the use of force or investigations into collisions that involve police. Shields noted that bodycam footage hasn’t been lost, however.

The AJC reported another example: a case that involved footage of a police sting of a former employee fired for allegedly destroying an open records request. An investigator on that case said that 105,000 files on his computer had been compromised.

Not an issue, Shields said: other evidence supports the former employee’s firing:

Employees have to back up documents. Even if it’s not related to a criminal investigation, if it is of some value to you, you have got to be backing this stuff up. I think it was a painful but useful lesson in IT security for all of us.

There are other useful, just as painful, lessons too.

Defending against SamSam

Unlike most other forms of high profile ransomware, SamSam is used in targeted attacks where victims are hand picked and the attacker’s approach is tailored to cause maximum damage and disruption, and to extract a very high ransom.

Because SamSam attacks are relatively rare and the methods involved differ from one victim to the next, defending against it can be difficult.

However, there are common threads to the attacks and Sophos has published an article outlining four tips for improving your protection against SamSam and other targeted ransomware over on our sister site, Sophos News.

You can also read more about SamSam in SophosLabs’ recent whitepaper, SamSam ransomware chooses its targets carefully.

For more on dealing with ransomware, listen to our Techknow podcast:

(Audio player above not working? Listen on Soundcloud or access via iTunes.)