NOTE: CNS WILL CONTINUE TO UPDATE THIS STORY AS IT DEVELOPS (*Last updated: June 14, 2019/9:30 a.m. PST)
Most honest Americans learned about burner phones from the HBO series The Wire, a crime drama set in Baltimore. In The Wire, criminals used these disposable phones to stay one step ahead of law enforcement surveillance. The Wire went off the air in 2008, but the more things changed since then, the more they stayed the same.
Today’s cyber criminals still use advanced technology to evade detection, but their tools and tactics are infinitely more advanced. Even worse, these cyber criminals don’t just care about filling their pockets. They use their next-generation technology and sophisticated social engineering methods to attack public institutions across the country, including the City of Baltimore.
Baltimore Ransomware Attack Details
On May 7, 2019, Baltimore became the latest, as well as one of the largest, American cities to suffer a malicious ransomware attack. Ransomware infects a computer system, usually through a phishing email or a cyber security vulnerability, then encrypts essential files. The venerable CBS News program 60 Minutes even did a story about ransomware attacks earlier this month.
The files then get ransomed back to the owner for a steep price, with hackers usually demanding payment in Bitcoin. In the case of the Baltimore hack, the criminals demanded a ransom of 13 Bitcoins, roughly equal to $100,000. Until the situation gets resolved, the city’s 7,000 end-users remain offline, shut off from the infected network.
Cities Under Siege
Cyber attacks on city, county and state governments have been rising for years, and the problem is only getting worse. Cybersecurity Ventures estimates that cybercrime will be a $6 trillion industry by 2021. Meanwhile, we’re less than halfway through 2019, and already a whopping 22 known cyber attacks got leveled on city governments.
Most of those attacks affected smaller cities, so they went unnoticed by the general public. However, Baltimore is the largest city in Maryland, with a population of over 600,000 people inside city limits, and nearly 3,000,000 in the metropolitan area. Baltimore is also the second-largest seaport in the mid-Atlantic. You can’t shut down a city the size of Baltimore without people noticing.
Of course, if hackers can lock down a city as big as Baltimore, imagine what they can do to a small business. This is not even the first time that Baltimore got attacked, as ransomware shut down the city’s 911 and emergency dispatch system for 17 hours in 2018.
In this article, we will answer questions about the ongoing recovery and investigation in Baltimore. Additionally, we will reveal the three ways to protect your IT network against a ransomware attack.
When did the Baltimore cyber attack start?
It is not yet known when the virus entered the City of Baltimore’s computer network. Many computer viruses infect a system and lay low for several months, gathering information in anticipation of the real attack. However, we do know that the ransomware got triggered in the early hours of Tuesday, May 7, when access to city emails, phones and other network services suddenly got shut down.
How did the hackers breach the Baltimore computer system?
The hackers used a highly advanced ransomware virus known as RobbinHood. This is the same virus used last month in the ransomware attack on the city of Greenville, North Carolina. RobbinHood prevents people from accessing server data without a digital key held by the hackers.
How did the city react to the attack?
As soon as Baltimore officials recognized the extent of the threat, the city took their servers down and quarantined the virus. This action prevented the malware from spreading any further. However, it also locked employees out of the city network and email accounts, while also crippling most city payment services.
UPDATE: According to a transcript of a May 22 meeting of the Maryland Cybersecurity Council, the state’s chief information security officer said that the city kept state officials “at arm’s length” in the early days of the attack.
What Baltimore city services got affected?
According to a May 22 story in The New York Times, the ransomware “took down voice mail, email, a parking fines database, and a system used to pay water bills, property taxes and vehicle citations.” Therefore, the city was forced to start delivering certain municipal services through manual means.
Thankfully, the city continued to provide emergency services throughout the crisis, while also searching for offline methods of conducting other types of business. For example, the lack of network access delayed over 1,500 pending home sales. According to The Baltimore Sun, it took two weeks for city and real estate officials to “develop a manual workaround to check for liens and record deeds.” This slowdown caused home sales in the city to plummet by 18 percent during May.
*UPDATE: Even though most city employees regained network and email access, certain Baltimore city services remain impacted by the ransomware attack. For example, the city does not expect to send out water bills in June, meaning that Baltimore citizens will likely receive two months worth of charges in July.
Who is behind the Baltimore ransomware attack?
The FBI and the Secret Service are assisting in the investigation of the Baltimore ransomware incident. However, as of publication time, we still don’t know who deployed the ransomware. In an unnerving twist, though, The New York Times linked the Baltimore cyber attack to a stolen NSA tool called EternalBlue. The tool exploits a security hole that Microsoft patched two years ago, but according to nextgov.com, the city never updated their software. However, the NSA disputes that the cyber weapon got used in the Baltimore ransomware attack.
Did Baltimore receive any warnings about security vulnerabilities?
In an un-dated report obtained by The Baltimore Sun, the city’s information technology office warned about out-of-date computer systems, calling them “a natural target for hackers and path for more attacks on the system.”
Could the Baltimore cyber attack have been prevented?
Ars Technica recently reported that at a budget hearing last year, the city’s information security manager recommended allocating funds to train employees in cyber security awareness. However, those funds did not get included in the budget, so the training never happened. The budget also did not include requested monies for additional cyber security investments. One of those rejected investments: a cyber insurance policy that could have helped pay for damages.
When will the city of Baltimore come back online?
Baltimore City emails started coming back online this week, with public safety agencies getting the priority treatment. However, city officials say that it could take months to get the entire network safely back online. Baltimore is taking a deliberate approach, rebuilding IT systems and installing enhanced security tools to prevent further attacks. To that end, the city contracted with cyber security experts to help investigate the attack and reestablish city services.
On June 4, Baltimore city officials claimed that 90 percent of employees would regain access to government email accounts by the end of the week. However, The Baltimore Sun reported on June 10 that only 65 percent of employees recovered access.
*UPDATE: As of June 12, 70 percent of city employees were back online, and officials expect 95 percent recovery by the end of the week.
Should Baltimore pay the ransom?
Experts seem divided on this point. On the one hand, it will cost the city of Baltimore more to restore their computer systems than the $100,000 ransom payment. Mayor Bernard Young openly considered paying the ransom, if only to get the city back online. However, according to a 2018 report by security firm Sentinel One, only 26 percent of ransomware-affected companies that paid the ransom got their files back. Furthermore, 73 percent of organizations that give into the hackers’ demands got attacked again.
How much will the cyber attack cost Baltimore?
Mayor Young announced on Wednesday that the City of Baltimore already spent $4.6 million responding to the May 7 ransomware attack. Meanwhile, the city’s budget office estimates that the entire recovery effort will cost the city at least $18.2 million.
Why do hackers want BitCoin instead of money?
As reported on 60 Minutes, cyber criminals don’t want a cash payment or money transfer. Instead, ransomware attackers usually demand payment in the form of a cryptocurrency like Bitcoin. Electronic cash like Bitcoin is harder to trace, and it also makes it easier for hackers to automate the entire process. It’s important to remember that rather than going after specific targets, most ransomware applications scan the internet blindly, looking for any vulnerable networks.
What could happen if Baltimore doesn’t get their files back?
The city is currently scrambling to get back online before the new fiscal year begins on July 1. If they don’t, it will be a challenge to ensure that property tax bills get issued correctly. Also, there are concerns that some public records could disappear forever.
What other American cities recently got hit with ransomware attacks?
According to the 60 Minutes report, more than one-quarter of U.S. cities and counties have suffered a cyber attack. In addition to the Greenville attack in April and a devastating ransomware attack on Atlanta in 2018, other recent examples of attacked cities include:
- Albany, NY
- Stuart, FL
- Imperial County, CA
- Garfield County, UT
- Amarillo, TX
That list doesn’t include the dozens of attacks on airports, transit systems and hospitals in recent years.
Why are hackers targeting public institutions?
The mass data breaches at giant corporations like Equifax and Marriott grab all the headlines, but hackers don’t discriminate. Government institutions have more money to spend and a greater urgency to pay the ransom. They also tend to have weaker cyber security defenses than private sector companies.
How can you protect your business network from ransomware attacks?
There are three main ways to protect your network from a ransomware attack:
- Regular and monitored software updates to patch security holes
- Local backups to prevent data loss and ensure a quick recovery
- Security awareness training to help employees recognize phishing attacks
At Capital Network Solutions, we can help with all three. As the premier managed service provider in Northern California, CNS offers over three decades of experience securing the networks of Sacramento area businesses. Our ironclad managed IT service plan puts your system in the hands of trained and certified experts. If you want to keep your business out of the headlines, call Capital Network Solutions at (916) 366-6566.