Attackers have unleashed ransomware on Baltimore city government systems. On May 7, 2019 the city’s systems ground to a halt as ransomware spread throughout the network.
City officials worked with cybersecurity experts and were able to quarantine the ransomware by the following day.
Initial investigation of the affected systems revealed that the strain of malware used was RobbinHood. Attackers used this same strain in a previous attack on the City of Greenville.It is currently unknown if the same group attacked both cities.
The Baltimore ransomware attack marks the second use of the RobbinHood malware. It also marks the second United States city with a population over 500,000 to be hit with malware after the attack on Atlanta in 2018.
After encryption the malware left behind a ransom note demanding a payment of 13 BTC or $76,280 at the time. The attackers claimed that the price would increase after 4 days, and data loss occurs after 10 days.
City officials and technical experts work around the clock to bring the systems back online. As of May 13th all systems remained down. Statements released by the city indicate that they do not plan to pay the ransom. Mayor Jack Young says that while systems remain offline, the FBI continues their investigation.
The attack also wreaked havoc on the real estate market in Baltimore as the system for processing property transfers was down. Real estate transfer systems were fully restored as of May 20th.
A slow but sure recovery
As of May 20th city officials estimate that a complete restoration of all systems would still take weeks.
Baltimore is particularly susceptible to this type of attack due to a decentralized control of the IT budget. This results in significant constraints on the amount of capital available for increased security measures for all city IT systems.
The city of Baltimore provides an excellent example of dealing with a ransomware attack. Deciding not to pay the ransom and restore systems from scratch is a big decision, but certainly a step in the right direction. As long as attackers are making money deploying ransomware they will continue to prey on unsuspecting targets.