Most honest Americans learned about burner phones from the HBO series The Wire, a crime drama set in Baltimore.  In The Wire, criminals used these disposable phones to stay one step ahead of law enforcement surveillance.  The Wire went off the air in 2008, but the more things changed since then, the more they stayed the same.

Today’s cybercriminals still use advanced technology to evade detection, but their tools and tactics are infinitely more advanced.  Even worse, these online criminals don’t just care about filling their pockets.  They use their next-generation technology and sophisticated social engineering methods to attack public institutions across the country, including the City of Baltimore.

2019 Baltimore Ransomware Attack Details

On May 7, 2019, Baltimore became the latest, as well as one of the largest American cities to suffer a malicious ransomware attack.  Ransomware infects a computer system, usually through a phishing email or a cybersecurity vulnerability, then encrypts essential files.  The venerable CBS News program 60 Minutes even did a story about ransomware attacks earlier this month.

The files then get ransomed back to the owner for a steep price, with hackers usually demanding payment in Bitcoin.  In the case of the Baltimore hack, the criminals demanded a ransom of 13 Bitcoins, roughly equal to $100,000.  Until the situation gets resolved, the city’s 7,000 end-users remain offline, shut off from the infected network.

Cities Under Siege

Cyber attacks on city, county and state governments are on the rise. Cybersecurity Ventures estimates that cybercrime will be a $6 trillion industry by 2021.  Meanwhile, we’re less than halfway through 2019, and already a whopping 22 known cyber attacks got leveled on city governments.

Most of those attacks affected smaller cities, so they went unnoticed by the general public.  However, Baltimore is the largest city in Maryland, with a population of over 600,000 people inside city limits and nearly 3,000,000 in the metropolitan area.  Baltimore is also the second-largest seaport in the mid-Atlantic.  You can’t shut down a city the size of Baltimore without people noticing.

Of course, if hackers can lock down a city as big as Baltimore, imagine what they can do to a small business.  This incident is not even the first time that Baltimore got attacked, as ransomware shut down the city’s 911 and emergency dispatch system for 17 hours in 2018.

In this article, we will answer questions about the ongoing recovery and investigation in Baltimore.  Additionally, we will reveal the three ways to protect your IT network against a ransomware attack.

When did the Baltimore ransomware attack start?

We do not yet know when the virus entered the City of Baltimore’s computer network.  Many computer viruses infect a system and lay low for several months, gathering information in anticipation of the real attack.  However, we do know that the ransomware got triggered in the early hours of Tuesday, May 7, when access to city emails, phones and other network services suddenly got shut down. The hackers even taunted city officials through a Twitter account.

How did the hackers breach the Baltimore computer system?

The hackers used a highly advanced ransomware virus known as RobbinHood.  This virus is the same one used the previous month in a ransomware attack on the city of Greenville, North Carolina.  RobbinHood prevents people from accessing server data without a digital key held by the hackers.

According to Microsoft, a RobbinHood attack doesn’t end with removal. “RobbinHood operators leave behind new local and Active Directory user accounts, so they can regain access after their malware and tools have been removed.”

How did the city react to the attack?

As soon as Baltimore officials recognized the threat, the city took their servers down and quarantined the virus.  This action prevented the malware from spreading any further.  However, it also locked employees out of the city network and email accounts, while crippling most city payment services.

According to a transcript of a May 22 meeting of the Maryland Cybersecurity Council, the state’s chief information security officer said that the city kept state officials “at arm’s length” in the early days of the attack.

What Baltimore city services got affected?

According to a May 22 story in The New York Times, the ransomware “took down voice mail, email, a parking fines database, and a system used to pay water bills, property taxes and vehicle citations.” Therefore, the city started delivering certain municipal services through manual means.

Thankfully, the city continued to provide emergency services throughout the crisis, while also searching for offline methods of conducting other types of business.  For example, the lack of network access delayed over 1,500 pending home sales.  According to The Baltimore Sun, it took two weeks for city and real estate officials to “develop a manual workaround to check for liens and record deeds.” This slowdown caused home sales in the city to plummet by 18 percent during May.

Even though most city employees regained network and email access, certain Baltimore city services remain impacted by the ransomware attack.  For example, the city does not expect to send out water bills in June.

*UPDATE: It turns out that the Baltimore data breach also affected the services of the county government, not just the city government.  Due to damage to the city’s online water billing system, the county could not validate sewer charges for 14,000 residents.  The affected customers will receive letters explaining the sewer charges that will show up on their 2019 property tax bills.

Who was behind the Baltimore ransomware attack?

The FBI and the Secret Service are assisting in the investigation of the Baltimore ransomware incident.  However, as of publication time, we still don’t know who deployed the ransomware.  In an unnerving twist, though, The New York Times linked the Baltimore cyber attack to a stolen NSA tool called EternalBlue.  The device exploits a security hole that Microsoft patched two years ago, but according to nextgov.com, the city never updated their software.  However, the NSA disputes that the cyber weapon got used in the Baltimore ransomware attack.

Did Baltimore receive any warnings about security vulnerabilities?

In an un-dated report obtained by The Baltimore Sun, the city’s information technology office warned about out-of-date computer systems, calling them “a natural target for hackers and path for more attacks on the system.”

Was the attack preventable?

Ars Technica recently reported that at a budget hearing last year, the city’s information security manager recommended allocating funds to train employees in cybersecurity awareness.  However, those funds did not get included in the budget, so the training never happened.  The budget also did not include requested monies for additional cybersecurity investments.  One of those rejected investments: a cyber insurance policy that could have helped pay for damages. Meanwhile, the attack cost the Baltimore City chief information officer his job in October.

When did the city of Baltimore come back online?

Baltimore City emails started coming back online this week, with public safety agencies getting the priority treatment.  However, city officials say that it could take months to get the entire network safely back online.  Baltimore will take a deliberate approach, rebuilding IT systems and installing enhanced security tools to prevent further attacks.  To that end, the city contracted with cybersecurity experts to help investigate the attack and reestablish city services.

On June 4, Baltimore city officials claimed that 90 percent of employees would regain access to government email accounts by the end of the week.  However, The Baltimore Sun reported on June 10 that only 65 percent of employees recovered access.

As of June 12, 70 percent of city employees were back online, and officials expect 95 percent recovery by the end of the week.

Should Baltimore have paid the ransom?

Experts seem divided on this point.  On the one hand, it will cost the city of Baltimore more to restore their computer systems than the $100,000 ransom payment.  Mayor Bernard Young openly considered paying the ransom, if only to get the city back online.  However, according to a 2018 report by security firm Sentinel One, only 26 percent of ransomware-affected companies that paid the ransom got their files back.  Furthermore, 73 percent of organizations that give into the hackers’ demands got attacked again.

How much did the cyberattack cost Baltimore?

Mayor Young announced on Wednesday that the City of Baltimore already spent $4.6 million responding to the May 7 ransomware attack.  Meanwhile, the city’s budget office estimates that the entire recovery effort will cost the city at least $18.2 million.

In January, Maryland legislators introduced a bill that would criminalize possessing “ransomware with the intent to use it.”

Why do hackers want BitCoin instead of money?

As reported on 60 Minutes, cybercriminals don’t want a cash payment or money transfer.  Instead, ransomware attackers usually demand payment in the form of a cryptocurrency like Bitcoin.  Electronic cash like Bitcoin is harder to trace, and it also makes it easier for hackers to automate the entire process. It’s important to remember that rather than going after specific targets, most ransomware applications scan the internet blindly, looking for any vulnerable networks.

What could happen if Baltimore doesn’t get their files back?

The city is currently scrambling to get back online before the new fiscal year begins on July 1.  If they don’t, it will be a challenge to ensure that property tax bills get issued correctly.  Also, there are concerns that some public records could disappear forever.

What other American cities recently got hit with ransomware attacks?

According to the 60 Minutes report, more than one-quarter of U.S. cities and counties have suffered a cyber attack.  In addition to the Greenville attack in April and a devastating ransomware attack on Atlanta in 2018, other recent examples of attacked cities include:

• Albany, NY
• Stuart, FL
• Imperial County, CA
• Garfield County, UT
• Amarillo, TX

That list doesn’t include the dozens of attacks on airports, transit systems and hospitals in recent years.

Why are hackers targeting public institutions?

The mass data breaches at giant corporations like Equifax and Marriott grab all the headlines, but hackers don’t discriminate.  Government institutions have more money to spend and a greater urgency to pay the ransom.  They also tend to have weaker cybersecurity defenses than private sector companies.

How can you protect your business network from ransomware attacks?

There are three main ways to protect your network from a ransomware attack:

• Regular and monitored software updates to patch security holes.
• Local backups to prevent data loss and ensure a quick recovery.
• Security awareness training to help employees recognize phishing attacks.

At Capital Network Solutions, we can help with all three.  As the premier managed service provider in Northern California, CNS offers over three decades of experience securing the networks of Sacramento area businesses.  Our ironclad managed IT service plan puts your system in the hands of trained and certified experts.

If you want to keep your business out of the headlines, call Capital Network Solutions at (916) 366-6566.