Soon after Atlanta City Auditor Amanda Noble logged onto her work computer the morning of March 22, she knew something was wrong. The icons on her desktop looked different—in some cases replaced with black rectangles—and she noticed many of the files on her desktop had been renamed with “weapologize” or “imsorry” extensions. Noble called the city’s chief information security officer to report the problem and left a message. Next, she called the help desk and was put on hold for a while. “At that point, I realized that I wasn’t the only one in the office with computer problems,” Noble says.

Those computer problems were part of a high-profile “ransomware” cyberattack on the City of Atlanta that has lasted nearly two weeks and has yet to be fully resolved. During that time the metropolis has struggled to recover encrypted data on employees’ computers and restore services on the municipal Web site. The criminals initially gave the city seven days to pay about $51,000 in the cryptocurrency bitcoin to get the decryption key for their data. That deadline came and went last week, yet several services remain offline, suggesting the city likely did not pay the ransom. City officials would not comment on the matter when contacted by Scientific American.

The Department of Watershed Management, for example, still cannot accept online or telephone payments for water and sewage bills, nor can the Department of Finance issue business licenses through its Web page. The Atlanta Municipal Court has been unable to process ticket payments either online or in person due to the outage and has had to reschedule some of its hearings. The city took down two of its online services voluntarily as a security precaution: the Hartsfield–Jackson Atlanta International Airport wi-fi network and the ability to process service requests via the city’s 311 Web site portal, according to Anne Torres, Atlanta’s director of communications. Both are now back online, with airport wi-fi restored Tuesday morning.

The ransomware used to attack Atlanta is called SamSam. Like most malicious software it typically enters computer networks through software whose security protections have not been updated. When attackers find vulnerabilities in a network, they use the ransomware to encrypt files there and demand payment to unlock them. Earlier this year attackers used a derivative of SamSam to lock up files at Hancock Regional Hospital in Greenfield, Ind. The health care institution paid nearly $50,000 to retrieve patient data. “The SamSam ransomware used to attack Atlanta is interesting because it gets into a network and spreads to multiple computers before locking them up,” says Jake Williams, founder of computer security firm Rendition Infosec. “The victim then has greater incentive to pay a larger ransom in order to regain control of that network of locked computers.”

SamSam has been one of the most successful ransomware programs to date, having pulled in an estimated $850,000 in ransom money since it first appeared in late 2015. By comparison, the WannaCry ransomware that made headlines a year ago when it was used to attack European hospitals, telecoms and railways netted about $140,000 in bitcoin.

The city’s technology department—Atlanta Information Management (AIM)—contacted local law enforcement, along with the FBI, Department of Homeland Security, Secret Service and independent forensic experts to help assess the damage and investigate the attack. The attackers set up an online payment portal for the city but soon took the site offline after a local television station published a screen shot of the ransom note, which included a link to the bitcoin wallet meant to collect the ransom.

Several clues indicate Atlanta likely did not pay the attackers, Williams says. “Ransomware gangs typically cut off communications once their victims get law enforcement involved,” he says. “Atlanta made it clear at a press conference soon after the malware was detected” that they had done so. The length of time it has taken to slowly bring services back online also suggests the cyber criminals abandoned Atlanta without decrypting the city’s files, Williams says. “If that’s the case, the city’s IT staff spent the past week rebuilding Atlanta’s online systems using backed-up data that had not been hit by the ransomware,” he says, adding that any data not backed up is likely “lost for good.”

“If the city had paid the ransom, I would have expected them to bring up systems more quickly than they have done,” says Justin Cappos, a professor of computer science and engineering at New York University’s Tandon School of Engineering. “Assuming the city did not pay the ransom, their ability to recover their systems at all shows that they at least did a good job backing up their data.”

One silver lining in the cloud hanging over Atlanta’s computer network—it is unlikely the attackers targeted Atlanta specifically, Williams says. The attackers likely were out on the internet looking for vulnerable computers to attack when they stumbled onto Atlanta’s network and the ransomware automatically encrypted its data. That might explain why they attacked Atlanta and then went quiet after law enforcement got involved, he adds. “They weren’t necessarily looking to exploit a large city and it wasn’t worth possibly getting caught,” Williams says. Baltimore officials came to a similar conclusion last week after a ransomware attack took down the city’s computer-aided dispatch system for 911 and 311 calls. Baltimore’s technology staff attributed the attack to opportunistic hackers who took advantage of inadvertent changes made to a firewall meant to protect the city’s network that instead left it vulnerable for about 24 hours.

City Auditor Noble has been using her personal laptop and city-issued mobile phone to do her job since the ransomware struck. As of Tuesday afternoon she had not tried to use her work computer although AIM gave city employees the go-ahead to use their machines last week. As part of the recovery employees were told last Wednesday to reboot their computers and change their passwords, Noble says.

People concerned about ransomware locking up their work or personal computers should back up their data, not just on a network service like Google Drive or Apple’s iCloud but on an actual hard disk that can be disconnected from their computer, Cappos says. The ransomware attacks against Atlanta, Baltimore and other municipalities should cause cities think about whether they would fare any better in the same situation, Williams says, adding, “If it can happen to them, it could happen to you, too.”