Atlanta's Department of Procurement awarded eight "emergency procurement" contracts between March 22 and April 2 for a total of $2,667,328, an investigation by Wired has revealed.
The city spent money on everything from Microsoft Cloud infrastructure repairs, $600,000 for "incident response consulting" from consulting giant Ernst & Young and some $50,000 on "crisis communications" from public relations powerhouse Edelman.
The FBI has a prepared document for guiding chief information security officers in the wake of ransomware attacks like the one sustained by Atlanta. The US government's official position is that it does "not encourage paying a ransom to criminal actors."
However, the FBI notes that all options should be explored after an attack. "Victims will want to evaluate the technical feasibility, timeliness and cost of restarting systems from backup," the FBI says in the "Ransomware Prevention and Response for CISOs" guide. This is the route Atlanta has chosen to follow, attempting a full recovery through its own efforts and the help of contractors instead of paying the hackers.
Still, the FBI notes that paying hackers isn't foolproof. Hackers might refuse to honor a deal even after a ransom is paid, or decide to charge more after receiving an initial payment. Further, "paying could inadvertently encourage this criminal business model."
Decisions are always easier to make in hindsight, but strictly on a cost basis, if Atlanta had paid the hacker and the hacker had followed through, it would have saved taxpayers in Georgia a decent chunk of change.