KNOXVILLE, Tennessee — Countering the underworld hackers who hijacked Knoxville's computer network won't be cheap for the city -- and perhaps Knoxville taxpayers.
Contracts for professional services obtained by 10News show two firms hired by the city charge hundreds of dollars an hour for consultation and expertise. Just how high the bills will go remains to be seen.
Attackers broke into the city system early June 11. Since then the city slowly has been trying to recover. The police department announced this week it finally had gone back to normal protocols when responding to non-injury accidents after previously being unable to prepare computer reports from the field.
The city has been guarded and canned in its public reports about progress. It said early on that it appeared employees files hadn't been compromised in the ransomware hit, but the invaders have posted internal city records on the dark web that include worker names, addresses, contacts and pay rates.
Within hours of the attack, the city hired a law firm -- Mullen Coughlin of Wayne, Pa. -- and cyber specialists CrowdStrike Services Inc. of California, records show.
CrowdStrike's agreement specifies costs; Mullen Coughlin's agreement specifies rates.
The city has not yet received any billings, according to assistant communications director Eric Vreeland.
Mullen Coughlin will "investigate, provide legal advice and otherwise assist with response to a potential data security incident," the city contract states. It's been assisting with matters that include public response to the attack.
It's hourly rates include $380 for a partner, $320 for an associate and $140 for a paralegal's services. They bill in 6-minute increments.
Under the terms of the agreement, CrowdStrike will charge for 40 hours at a minimum.
It'll charge $450 an hour for each consultant's work. Its estimated "level of effort" at the time of the contract was a required 250 hours for triage, resulting in an estimated total of $112,500.
CrowdStrike will "assist (the city) with responding to a suspected computer security incident," its agreement states.
Its work will include using its in-house technical tools to analyze what happened, what was affected, how to combat the attack, and what steps to take going forward.
Time spent on travel will be charged at $225 per person per hour.
The attackers have demanded an undisclosed ransom. The city has said it doesn't plan to pay.
Brett Callow, a threat analyst for the online security firm Emsisoft, told 10News the attacker appears to be a group using what's known as DoppelPaymer ransomware.
Last July, CrowdStrike discussed DoppelPaymer in a blog post and said in fact it had dubbed it that.
"We have dubbed this new ransomware DoppelPaymer because it shares most of its code with the BitPaymer ransomware operated by INDRIK SPIDER. However, there are a number of differences between DoppelPaymer and BitPaymer, which may signify that one or more members of INDRIK SPIDER have split from the group and forked the source code of both Dridex and BitPaymer to start their own Big Game Hunting ransomware operation."
Cities hit by malware end up paying thousands and sometimes millions of dollars to recover.
According to Callow, Knoxville is at least the fourth U.S. city to have its data stolen via DoppelPaymer. Others are Pensacola, Fla., Torrance, Calif., and Florence, Ala.