Investigation: Red flags raised months before ransomware attack on City Hall

ATLANTA — One week after a crippling ransomware attack on the city of Atlanta's computer network, a Channel 2 Action News investigation uncovered that over the last year, the city received several warnings about malware on one specific city server.

Channel 2 investigative reporter Aaron Diamant has obtained city emails that show red flags were raised months before the massive cyberattack that is still affecting the city's computer system.

“What we know is that it is extremely related to the current situation today,” Versprite cybersecurity consultant Tony UcedaVelez said.

[READ: Atlanta City Hall employees told to not turn on computers]

Diamant showed UcedaVelez an internal city of Atlanta email chain, dating back to last June, documenting IT officials’ response to multiple warnings that a specific city server appeared infected with malware.

“What’s astonishing is the incident that’s manifested in that email communication is related to what we’re seeing today in terms of a ransomware,” UcedaVelez said.


The warnings involved an Atlanta City Council server. 

Last February, an outside monitoring service discovered that server contacted a blacklisted IP address associated with known ransomware attacks.

The vendor’s report to the city noted, “these connections could represent a malware callback as a result of an infection.”

The emails also show the city saw similar red flags in September and June.

[READ: City of Atlanta confirms 'ransomware cyber attack' on network servers]

UcedaVelez said while the emails show the city triaged the one server, it still wouldn’t solve the problem.

“The reality is that this is one system that’s interconnected with other systems, and that’s what I’m not seeing in the correspondence, is action from the city IT officials to say we need to broaden our scope. Is there a systemic failure on the part of network architecture?” UcedaVelez said.

City Council President Felicia Moore told Diamant on Thursday that she’s working to learn more.

[READ: Bill payment sites down as City of Atlanta works to resolve cyber attack issues]

“When I first heard of it, I’ve been doing my due diligence to ask our staff to give me any information that may be even remotely related to that,” Moore said. 

But as for how the infected council server relates to last week’s massive ransomware attack on the city’s computer network, Moore said there’s still many questions. 

“No one has given me any firm determination that that was the source,” Moore said. 

“Was it the causal factor that spread out and undermined other systems within the city? That part is really for forensic investigators to really find out, but is it related? Absolutely,” UcedaVelez said.

In a statement from the city, a representative told Diamant: 

"As challenges around cyber security continue to evolve, we must invest in our infrastructure and remain vigilant in ensuring our security measures continue to match the threats facing us."