The Curious Case of the Baltimore Ransomware Attack: What You Need to Know

[harlan4096]

Hackers Are Targeting Governmental Agencies. Learn How to Stay One Step Ahead.

Nowadays, cybercriminals are becoming increasingly hooked on big game hunting. Public institutions ranging from educational facilities to governmental agencies seem to be their favorite targets. One of the most notable instances of the latter in recent history was the Baltimore ransomware attack.
 
Even though the attack took place in May 2019, there is a lot still to be learned from the Baltimore ransomware case today. In this article, I will present a timeline of the events that unfolded in the wake of the infection, as well as answer the most pressing question in any situation like this: did Baltimore city pay the ransom?

Plus, if you want to learn how to prevent a ransomware attack in your institution, keep on reading. I’ll get into that as well.

Baltimore Ransomware Attack: A Timeline

The Baltimore ransomware attack wasn’t RobbinHood’s first rodeo with local government. On April 10 of the same year, hackers targeted the North American city of Greenville, North Carolina. A police officer was the first to ring the alarm on the infection, which prompted the IT team to take most servers offline. Officials announced the incident on the town’s official Facebook page.

In Baltimore, the infection gained more traction in the press as it coincided with a tricky political situation for the city. At the beginning of May, Mayor Catherine Pugh stepped down after a three-year stint at the helm of the administration.

Pugh’s resignation came as no surprise, as she was in the midst of a scandal that saw her lend political favors to several organizations in exchange for the wholesale purchase of her self-published children’s book. This resulted in criminal charges for the former Mayor, who was later on indicted on eleven counts of fraud, tax evasion, conspiracy, and other related transgressions in November 2019.

By February 2020, Catherine Pugh had been sentenced to three years in prison and another three on probation.  Bernard C. Young was appointed to replace her in on May 9, 2019, two days after the original ransomware infection and one week after her resignation.

Below, I have comprised a timeline of events reported on for two months by reputable Baltimore-based and country-wide publications alike. In the following lines, I will go over the specific moment of infection, as well as the aftermath of the attack and the lengthy restoration process that followed. This incident was not without its fair share of controversy, so prepare for some drama as well.

May 2019

May 7

As per the Baltimore Sun, the first signs indicating that the city was Baltimore was the victim of a cyberattack appeared on the morning of May 7[sup]th[/sup], at 8:54 a.m. It was then that the Department of Public Works tweeted about its email service being down. Later the same day, the same institution announced the public that its phone lines had also been affected.

The Department of Transportation was the second organization to suffer damages that day at one of its impound lots. There, employees found themselves unable to process vehicles. What is more, most of the city’s departments found their email systems unresponsive.

It soon became clear that another Baltimore ransomware attack was afoot after a similar attempt took emergency phone lines offline in 2018. Fortunately, 911 and 311 services were not affected this time around. With assistance from the local FBI unit, city investigators managed to quarantine the strain, which they identified as the RobbinHood ransomware.

Nonetheless, the hackers got a hold of the city’s entire online infrastructure and held it for ransom. They demanded that the city pay 3 Bitcoin for each system to be unlocked or 13 Bitcoin for the whole lot of them. This amounted to approximately $76,280 in total.

The note also mentioned that the ransom will be raised by $10,000 each day starting May 11. Moreover, the cybercriminals behind the operation threatened that the city would lose all its data permanently within ten days of the initial attack.

May 9

Newcomer Mayor Bernard C. Young came out with an official statement, informing local media that all city employees were forced to replace their computerized activities with manual processes. This gave Baltimore’s IT teams the necessary framework to fix the problem offline. City tech experts worked with the FBI, Microsoft, and other organizations to mitigate the issue.

However, the city’s official card payment system and debt checking application were also rendered inaccessible in the meantime. This reverted property tax payment, as well as the imbursement of other fees back to the (frustrating) bureaucratic times of pen and paper. During this timeframe, citizens had to send certified cheques or money orders, then match them to physical copies.

May 15

A little over one week later than the initial operation, the full extent of the damage inflicted by the hack was made known to the public. According to a list put together by the Baltimore Sun, the following state agencies and departments were impaired by the RobbinHood ransomware attack:

• Baltimore City Council
  
• Board of Elections
  
• Baltimore Police Department
  
• Department of Transportation
  
• Department of Public Works
  
• Department of Finance
  
• Recreation and Parks
  
• Legislative Reference
  
• Archives and Records Management
  
• Office of Sustainability
  
• Department of Housing and Community Development
  
• Baltimore Animal Rescue and Care Shelter
  
• Baltimore Development Corporation
  
• Board of Municipal and Zoning Appeals
  
• Office of Promotion and the Arts
  

Nonetheless, on the same day city officials informed residents that it was safe to access local governmental websites.

May 17

Mayor Bernard C. Young published an official press release on the Baltimore City website, which unfortunately did not clarify many things about the then-ongoing situation. The insights into the restoration process were minor, but Young did reinforce the fact that the city was working together with the FBI and several competent technology vendors.

As per the Mayor’s statement, a clear timeframe for the repairs couldn’t be set at that point. Depending on the complexity of the damaged systems, the process would take between a few weeks and a few months from case to case.

May 22

As previously mentioned, the Baltimore ransomware attack took down not only the city’s servers but also its email system. As a workaround, until things get back to normal, employees created temporary Gmail addresses to carry out their daily tasks. However, many of them seemed to have been disabled on May 22, when several users reported malfunctions.

Fortunately, Google was quick to address complaints, and access to the Gmail accounts was restored shortly. The addresses had been disabled by automated security services, which detected a bulk creation of multiple consumer accounts in the same network.

May 25

On May 25, an article published by The New York Times shed light on a very important piece of information. Nicole Perlroth and Scott Shane revealed that the Baltimore ransomware attack was carried out by exploiting the EternalBlue vulnerability.

What was most scandalous about this detail, in particular, was that EternalBlue was initially a tool built by the National Security Agency (NSA) to infiltrate Windows systems. EB was infamously leaked by the Shadow Brokers in April 2017 and became a cyberattacker-favorite.

Following this discovery, Maryland State Senator Chris Van Hollen and Baltimore Congressman C. A. Dutch Ruppersberger started seeking answers from the NSA. The agency was also held publicly accountable for the fact that governmental security tools fell into the hands of malicious third parties.

May 29

At a meeting held on May 29, Baltimore’s city budget office estimated that the damages done by the ransomware attack will take approximately $18.2 million to clean up. Until that date, the local administration had already spent $4.6 million on restoration.

The total evaluation of $18.2 million was comprised of those $4.6 million, as well as an additional $5.4 million in mitigation efforts alone. In addition to this, the Bureau of Budget and Management Research for Baltimore director Bob Cenname projected an additional $8.2 million revenue loss from delayed and disrupted tax payments.
...

Continue Reading