WatchPoint Security Blog

Baltimore City Government Still Recovering from Ransomware Attack

Written by Jordan Kadlec | May 24, 2019

On May 7, an unknown hacker group infected Baltimore’s city government with ransomware variant RobbinHood. Over two weeks later, the city is still unable to provide basic city services, and according to Mayor Berard C. “Jack” Young, a full recovery could take months.

RobbinHood Ransomware

The RobbinHood ransomware is the latest player in the ransomware scene that deploys via hacked remote desktop services or other Trojans that provide access to the hackers. While most cities that are infected with ransomware are targeted attacks, it’s believed that the creators of RobbinHood scanned a large number of online systems for vulnerabilities to exploit and came across a vulnerability within Baltimore’s remote access to computers. However, Baltimore isn’t the first city to be infected by RobbinHood. On April 10, city officials in Greenville, N.C., discovered that they were infected with the ransomware. In this attack, the city declined to pay the ransom, and the attack remains under investigation by the F.B.I.

RobbinHood’s Attack on Baltimore

RobbinHood’s attack on Baltimore infected over 10,000 computers and caused voicemail and email outages; forcing city workers to do what work they can from personal laptops and email accounts. Further damage includes police surveillance cameras that are shut down and utilities payment systems that were forced offline. The city’s real estate market was effectively shut down for two weeks, leaving at least 1,500 pending home sales delayed.

The hackers behind the attack are demanding three Bitcoins (about $24,000) per system infected or 13 Bitcoins (about $102,000) for them all.

Baltimore’s Response to the Ransomware Attack

Believe it or not, this isn’t Baltimore’s first rodeo when it comes to ransomware attacks. In 2018, a ransomware attack caused an automated system that city emergency workers use to locate people who call 911 and pinpoint the nearest police car or ambulance to shut down for several hours. Even after this attack, Baltimore refused to increase their cybersecurity budget.

“Accord to a 2018 strategy document, Baltimore spend about half of what other cities budget for IT, and the Office of Information Technology only controls about 1 percent of the total budget,” Ars Technica’s IT editor and national security editor Sean Gallagher commented. “The city also burned through four IT chiefs who were all fired or forced to resign within five years before Chief Information Technology Officer Frank Johnson took the helm in 2017.”

Failing to allocate a sufficient budget to your information technology or security team, especially with the number of cities who have incurred ransomware attacks as of late, is ignorant. However, failing to increase your cybersecurity measures and spending after becoming a victim of a ransomware attack a year before is the definition of negligent.

“Gov (government) math is funny: won’t budget $ for prevention but always find $$$ for recovery…”

  • Maurice Turner via Twitter (@TypeMRT)

How accurate is that tweet? Ransomware attacks on cities is a major problem across the United States. However, it appears no one is listening. Since 2013, there have been more than 170 ransomware attacks that hit state and local governments. Once ransomware attackers realized they’ve compromised a city, they often take advantage of that fact by targeting the most sensitive or valuable data to encrypt. Perhaps the most well-known ransomware attack on a city came last year when Atlanta’s systems were crippled. Since the attack, Atlanta has spent over $10 million to clean and restore its systems. Think about that; the city could have allocated over $1 million for 10 years to prevent the attack; instead, they are using taxpayer’s money to recover. Perhaps other cities will do the math and start reaching into their pockets for preventative measures instead of waiting until it’s too late.

Photo courtesy of BoingBoing.net