The City of Atlanta's 8,000 employees got the word on Tuesday that they had been waiting for: It was O.K. to turn their computers on.
But as the city government's desktops, hard drives and printers flickered back to life for the first time in five days, residents still could not pay their traffic tickets or water bills online, or report potholes or graffiti on a city website. Travelers at the world's busiest airport still could not use the free Wi-Fi.
Atlanta's municipal government has been brought to its knees since Thursday morning by a ransomware attack — one of the most sustained and consequential cyberattacks ever mounted against a major American city.
The digital extortion aimed at Atlanta, which security experts have linked to a shadowy hacking crew known for its careful selection of targets, laid bare once again the vulnerabilities of governments as they rely on computer networks for day-to-day operations. In a ransomware attack, malicious software cripples a victim's computer or network and blocks access to important data until a ransom is paid to unlock it.
"We are dealing with a hostage situation," Mayor Keisha Lance Bottoms said this week.
The assault on Atlanta, the core of a metropolitan area of about 6 million people, represented a serious escalation from other recent cyberattacks on American cities, like one last year in Dallas where hackers gained the ability to set off tornado sirens in the middle of the night.
Part of what makes the attack on Atlanta so pernicious are the criminals behind it: A group that locks up its victims' files with encryption, temporarily changes their file names to "I'm sorry" and gives the victims a week to pay up before the files are made permanently inaccessible.
Read more from The New York Times:
Facebook introduces central page for privacy and security settings
To invade homes, tech is trying to get in your kitchen
Waymo, a Google spinoff, ramps up its driverless-car effort
Threat researchers at Dell SecureWorks, the Atlanta-based security firm helping the city respond to the ransomware attack, identified the assailants as the SamSam hacking crew, one of the more prevalent and meticulous of the dozens of active ransomware attack groups. The SamSam group is known for choosing targets that are the most likely to accede to its high ransom demands — typically the Bitcoin equivalent of about $50,000 — and for finding and locking up the victims' most valuable data.
In Atlanta, where officials said the ransom demand amounted to about $51,000, the group left parts of the city's network tied in knots. Some major systems were not affected, including those for 911 calls and control of wastewater treatment. But other arms of city government have been scrambled for days.
The Atlanta Municipal Court has been unable to validate warrants. Police officers have been writing reports by hand. The city has stopped taking employment applications.
Atlanta officials have disclosed few details about the episode or how it happened. They have urged vigilance and tried to reassure employees and residents that their personal information was not believed to have been compromised.
Dell SecureWorks and Cisco Security, which are still working to restore the city's systems, declined to comment on the attacks, citing client confidentiality.
Ms. Bottoms, the mayor, has not said whether the city would pay the ransom.
The SamSam group has been one of the more successful ransomware rings, experts said. It is believed to have extorted more than $1 million from some 30 target organizations in 2018 alone.
It is not ideal to pay up, but in most cases, SamSam's victims have said that they can more easily afford the $50,000 or so in ransom than the time and cost of restoring their locked data and compromised systems. In the past year, the group has taken to attacking hospitals, police departments and universities — targets with money but without the luxury of going off-line for days or weeks for restoration work.
Investigators are not certain who the SamSam hackers are. Judging from the poor English in the group's ransom notes, security researchers believe they are probably not native English speakers. But they cannot say for sure whether SamSam is a single group of cybercriminals or a loose hacking collective.
Ransomware emerged in Eastern Europe in 2009, when cybercriminals started using malicious code to lock up unsuspecting users' machines and then demanding 100 euros or similar sums to unlock them again. Over the past decade, dozens of online cybercriminal outfits — and even some nation states, including North Korea and Russia — have taken up similar tactics on a larger scale, inflicting digital paralysis on victims and demanding increasing amounts of money.
Cybersecurity experts estimate that criminals made more than $1 billion from ransomware in 2016, according to the F.B.I. Then, last May, came the largest ransomware assault recorded so far: North Korean hackers went after tens of thousands of victims in more than 70 countries around the world, forcing Britain's public health system to reject patients, paralyzing computers at Russia's Interior Ministry, at FedEx in the United States, and at shipping lines and telecommunications companies across Europe.
A month later, Russian state hackers deployed similar ransomware to paralyze computers in Ukraine on the eve of the country's independence day. That attack shut down automated teller machines in Kiev, froze government agencies and even forced workers at the Chernobyl nuclear power plant to monitor radiation levels manually. Collateral damage from that attack affected computers at Maersk, the Danish shipping conglomerate; at Merck, the American-based pharmaceutical giant; and even at businesses in Russia.
Attempted ransomware attacks against local governments in the United States have become unnervingly common. A 2016 survey of chief information officers for jurisdictions across the country found that obtaining ransom was the most common purpose of cyberattacks on a city or county government, accounting for nearly one-third of all attacks.
The survey, conducted by the International City/County Management Association and the University of Maryland, Baltimore County, also found that about one-quarter of local governments reported that they were experiencing attacks of one kind or another, successful or not, at least as often as once an hour.
Yet less than half of the local governments surveyed said they had developed a formal cybersecurity policy, and only 34 percent said they had a written strategy to recover from breaches.
Experts said government officials needed to be more aggressive about preventive measures, like training employees to spot and sidestep "phishing" attempts meant to trick them into opening the digital door for ransomware.
"It's going to be even more important that local governments look for the no-cost/low-cost, but start considering cybersecurity on the same level as public safety," said David Jordan, the chief information security officer for Arlington County, Va. "A smart local government will have fire, police and cybersecurity at the same level."
Ms. Bottoms, who took office as mayor of Atlanta in January, acknowledged that shoring up the city's digital defenses had not been a high priority before, but that now "it certainly has gone to the front of the line."
"As elected officials, it's often quite easy for us to focus on the things that people see, because at the end of the day, our residents are our customers," Ms. Bottoms said. "But we have to really make sure that we continue to focus on the things that people can't see, and digital infrastructure is very important."
During the ransomware attack, local leaders have sometimes been able to do little but chuckle at a predicament that was forcing the city to turn the clock back decades.
Asked on Monday how long the city might be able to get by doing its business strictly with ink and paper, Ms. Bottoms replied: "It was a sustainable model until we got computer systems. It worked for many years. And for some of our younger employees, it will be a nice exercise in good penmanship."
Security researchers trying to combat ransomware have noticed a pattern in SamSam's attacks this year: Some of the biggest have occurred around the 20th of the month.
Allan Liska, a senior intelligence analyst at Recorded Future who has been tracking the group, said in an interview that he believed that SamSam gains access to its victims' systems and then waits for weeks before encrypting the victim's data. That delay, Mr. Liska said, makes it harder for responders to figure out how the group was able to break in — and easier for SamSam's hackers to strike twice.
The Colorado Department of Transportation was able to restore its systems on its own after a SamSam attack, without paying SamSam a dime. But a week later, the hackers struck the department again, with new, more potent ransomware.
"They are constantly learning from their mistakes, modifying their code and then launching the next round of attacks," Mr. Liska said.