Data Protection Tool

What really happened in the Baltimore ransomware attack?

Picture of Tracy Rock

Tracy Rock

Director of Marketing @ Invenio IT



It’s been more than a month since a nasty ransomware infection hobbled the City of Baltimore, disrupting almost every aspect of the city’s operations, including police communications, court systems and the local property market.

And it’s not over yet.

Baltimore is still recovering from the attack, and officials say it could be several more months before all systems are fully restored. City employees say the recovery could cost at least $18 million. But they’ve been mum about some of the most significant details, like who might be behind the attack and what data has been lost.

Here’s what we know so far.

When did the Baltimore ransomware attack happen?

The attack occurred during the early hours of Tuesday, May 7, 2019.

The first clues surfaced shortly before 9 a.m., when Baltimore’s Department of Public Works announced on Twitter that “Email service is down.” By 1 p.m., the department said its phone lines had also been taken down.

Shortly after 2 p.m., Baltimore Mayor Bernard Young was one of the first officials to confirm the severity of the attack, writing on Twitter, “Baltimore City core essential services (police, fire, EMS and 311) are still operational but it has been determined that the city’s network has been infected with a ransomware virus. City employees are working diligently to determine the source and extent of the infection.”

Young said there was no evidence that any personal data had been stolen by the attackers, but “Out of an abundance of precaution, the city has shut down the majority of its servers.”

Some of those servers still remain offline today.

What was the impact?

While essential services like police were “still operational,” nearly every department was disrupted by the attack.

With the majority of servers shut down, city employees lost access to email; court records could not be accessed; residents could not pay bills, parking tickets or taxes (online or in person); and non-emergency police communications systems were knocked offline.

The attack also temporarily froze the Baltimore property market. Property buyers and sellers were unable to access certificates from the city showing that properties did not have liens. And without those liens, title insurance companies were unwilling to move forward with real estate transactions.

Law enforcement personnel also could not communicate with prosecutors, delaying court proceedings.

What’s the status now?

More than a month later, the city is still struggling to restore its systems. Email has been only partially restored for some departments. A message at the top of the city’s website reads: “The City of Baltimore is currently unable to send or receive email.”

City employees are slowly being allowed back into their computers. On a FAQ page, the city states that it is focusing on restoring the most critical departments first: “We are prioritizing public safety agencies and are working on other agencies simultaneously. A pilot was successfully implemented and we are rolling that solution out citywide. This is an ongoing process in our efforts to restore our network and applications in a safe and secure manner.”

RobbinHood strikes again

As the infection spread, city computers displayed a ransom note identifying the ransomware as Robbinhood, according to The Baltimore Sun. If true, that would make it the same strain of ransomware that disrupted the City of Greenville, North Carolina, a month earlier. In that attack, the majority of Greenville’s 800 computers were infected and needed to be restored individually from backups.

In a ransomware attack, attackers use malware to encrypt computer files and demand the victims pay a ransom to restore them. Without the decryption key, the files typically can’t be accessed again. But even if victims pay the ransom, there’s no guarantee that they’ll actually receive the decryption key as promised.

A $76,000 ransom demand

In the Baltimore ransomware attack, hackers demanded 13 Bitcoin, valued at roughly $76,280.

In typical ransomware style, the attackers upped the stakes by threatening to increase the ransom in four days. And if they didn’t receive payment within 10 days, the files would be permanently deleted.

According to the Sun, the ransom note read: “We won’t talk more, all we know is MONEY! Hurry up! Tik Tak, Tik Tak, Tik Tak!”

During a city council meeting last week, solicitor Andre Davis said the city “thoroughly examined” the prospects of paying the ransom “at the highest levels of city government with experts, with law enforcement.”

But ultimately, the city refused.

An $18 million recovery

With data still encrypted and many computers inaccessible, the city has no choice but to slog through a long, tedious recovery. It won’t be cheap.

The city’s budget office has provided a preliminary estimate of $18.2 million, but the final cost of the attack could end up much higher. The city has already spent $5 million on recovery efforts so far. And it reportedly has no insurance to cover the costs of a cyberattack, unlike the city of Atlanta, which faced its own $17+ million ransomware attack in 2018.

Why didn’t Baltimore just pay up?

That is the million-dollar question (or rather the $18 million question).

Baltimore likely made the right choice in not paying the ransom.

The ransomware market has proliferated over the last few years precisely because victims are intimidated into paying the ransom. Attackers make their ransom demand affordable, so that it seems a nominal price to pay in comparison to losing data forever (or undergoing a lengthy recovery). But there’s no guarantee that the files will be restored, and paying the ransom only serves to make these crimes a profitable enterprise for attackers.

Baltimore officials have been explicit about the reasons why they didn’t pay up. On a FAQ page about the attack, the city explains:

·      There is no guarantee [the attackers] can or will unlock our system

·      There is no way of tracking the payment or even being able to confirm who we are paying the money to, because of the way they requested the payment

·      There is no way of knowing if [the attackers] are leaving other malware on our system to hold us for ransom again in the future

Second attack in 2 years

This isn’t the first time Baltimore has experienced a ransomware attack.

In March 2018—just 14 months earlier—the city’s 9-1-1 dispatch system was “hacked” for 17 hours in what was later revealed to be a ransomware attack. Fortunately, the dispatch was not taken offline. Emergency 9-1-1 calls could still be made. However, it disrupted the communication between dispatchers and responders. Dispatchers had to use a more manual process to relay details to responders, instead of transmitting it electronically.

According to The Baltimore Sun, the city’s computer security chief admitted last year that her department’s budget was “stretched thin” after the attack on the 9-1-1 system. This led to discussions about the need to “upgrade firewall defenses at the perimeter of the network.”

A tumultuous time for Baltimore

Baltimore’s ransomware attack comes on the heels of a major shakeup among city government. Mayor Young had only been in office for a few days, after former mayor Catherine Pugh was forced to resign amidst a corruption investigation.

Ars Technica also reports that the city’s IT department has faced near constant turnover in the last several years, particularly among leadership. Four consecutive chief information officers were fired or forced to resign over a period of five years.

Eternal (Blue) confusion

In the wake of the attack, there have been conflicting reports about the nature of the malware and how it infiltrated the city’s network. Some organizations have reported that the attackers used an exploit known as EternalBlue – the same tool that led to the global WannaCry and NotPetya attacks of 2017.

EternalBlue was originally an NSA-developed tool that was capable of infiltrating vulnerable Windows systems. The tool was leaked in 2017 and then promptly leveraged by hackers to deliver ransomware to hundreds of thousands of computers around the world.

The New York Times reported on May 25 that EternalBlue was behind the Baltimore ransomware attack. This led to city officials demanding more federal aid to help pay for the recovery. However, the NSA later denied that EternalBlue had been used in the attack, at least not initially.

According to the Times, cybersecurity experts now believe that “hackers broke in through an open server in Baltimore’s network, installed a back door and then used EternalBlue to move across the city’s computers searching for valuable servers to infect.”

Some news organizations have also reported that the initial infection was caused by a phishing attack on a city employee – the most common method of ransomware delivery.

Unanswered questions

There are still many elements to this attack that we don’t know about. Baltimore has been cooperating with an FBI investigation into the origins of the attack, but officials have not provided many specifics.

For example, we don’t know who might have been behind the attack, whether it’s a known hacking group, state-sponsored cybercriminals or an individual hacker.

We also don’t know much about Baltimore’s data backup systems, which would be the city’s most critical tool for recovering lost files. In a ransomware attack, organizations can use data backups to revert to a clean recovery point before the infection occurred. This effectively removes the threat while also restoring data back to normal.

Mayor Young has said the city does have backups, but we don’t know how many, where they were implemented or whether those backups are viable.

City officials have also refused to comment on whether an official disaster recovery plan was in place. If there wasn’t, the city could have a very long recovery ahead of them.

Get more information

For more information on how you can protect your critical data from ransomware and other threats, request a free demo of BC/DR solutions from Datto. Contact our business continuity experts at (646) 395-1170.

Get the Ultimate Cybersecurity Handbook for Employees
Invenio it logo

Join 23,000+ readers in the Data Protection Forum

Related Articles