Early last month, hackers infected somewhere around 10,000 Baltimore, Maryland city computers with a “file-locking” ransomware variant called RobbinHood. Those hackers demanded a ransom of 13 bitcoin (at the time worth around $76,000, and today around $100,000) that would go up over time if it was not promptly paid out—and which the city refused to pay out.
According to a Wednesday report in Ars Technica, Baltimore Mayor Bernard “Jack” Young told reporters on Tuesday that crucial city services were now open for business, despite ongoing disruption. City Finance Director Henry Raymond added that some email accounts and phone lines had been restored, though many municipal payment and finance systems had to be operated in manual modes. Ars wrote that Young estimated the ongoing damage to be over $18 million, including “$8 million lost because of deferred or lost revenue while the city was unable to process payments.”
Notable concerns included problems with access to parking and traffic violation databases, which along with some other systems were for the time being dependent on “paper documents and manual workarounds,” Ars wrote. Additionally, a slow and labor-intensive process of authenticating and restoring login credentials for around 10,000 city employees is still ongoing and may not be complete until the end of the week:
Parking tickets and tickets generated by the city’s speed and red light cameras can be paid in person if the ticket is in hand. The city has regained the data for all parking and camera-generated violations up to May 4, but it still lacks the ability to look up violations without the physical paper ticket or process payments electronically, city officials said. And the same is true for many other interactions with the city, which currently require mailing or hand-delivering paper documents and manual workarounds.
City employees are being required to report in person to receive new network and email credentials, presenting a city ID before being allowed to get new passwords.
According to the Baltimore Sun, other impacted systems included a “shared system to keep [prosecutors] up to date on drug, DNA and gun test results,” forcing them to manually retrieve documents from city police.
Raymond also said that $18 million number may grow over time, as cybersecurity personnel may play a “daily” role protecting Baltimore city systems for some time, according to WBALTV 11.
Baltimore city IT officials, the FBI, and security contractors are currently at work managing the fallout of the ransomware attack. Ars wrote that the mayor’s deputy chief of staff for operations, Sheryl Goldstein, said the FBI had discouraged Baltimore officials from simply paying the ransom because it would not preclude extensive cybersecurity costs and “We would bear much of these costs regardless.”
The Baltimore Sun also reported this week that city and federal officials are investigating a Twitter account (using the display name “Robbinhood”) that claimed credit for the attack and posted internal city documents including “a detailed assessment of a woman’s medical history.” However, city officials said it was not clear whether databases containing such records were themselves breached—some of the documents the account posted were apparently lifted from city fax lines.
The Twitter account in question also denied that it used a sophisticated tool originally developed by the National Security Agency to exploit vulnerabilities in Windows machines, EternalBlue, which leaked onto the internet in early 2017 and subsequently used in ransomware attacks that spread globally. The Baltimore Sun wrote that the NSA told members of Maryland’s congressional delegation that the attack appears to have instead relied on phishing.
Ransomware attacks against municipal systems very much appear to be on the rise (and in fact, Baltimore’s 911 system fell prey to a similar attack last year). As CNN noted last month, cybersecurity firm Recorded Future has logged over 20 attacks so far in 2019, and “at least 170 county, city or state government systems” had been attacked since 2013.