Impacting businesses, government agencies, and public services on a grand scale, the Baltimore ransomware attack of May 2019 upended the city and cost up to $18 million to rectify the damage caused. We’ll explore how the Baltimore ransomware attack occurred, the consequences, and what businesses can do to learn from these incidents to protect against ransomware.
Protect your business from ransomware with Avast Business Server Antivirus
When did the Baltimore attack take place?
The Baltimore ransomware attack happened on May 7, 2019, during an already turbulent time for the city. Former Baltimore Mayor Catherine Pugh had just departed her role on May 2 following a scandal, criminal charges, and subsequent incarceration – her successor, Bernard C. Young, took the helm on May 9. Hackers attacked the city’s digital infrastructure at a time when the city’s cybersecurity priorities had taken a back seat. The attack lasted for more than two weeks.
The 2019 event was the second time the city had been the victim of a data breach. In March 2018, a ransomware attack disabled the city’s emergency systems for over 12 hours, and on November 25, 2020, a third ransomware attack hit Baltimore County Public School, affecting over 170 schools, numerous education systems, and up to 115,000 students.
How did the Baltimore ransomware attack happen?
On May 7, 2019, the Baltimore Department of Public Works Tweeted that its email services were not available. The outage then extended to its phone lines. Following this, a domino effect was seen across the city with up to 10,000 government systems, including the Department of Transportation systems, becoming inaccessible.
It was an attempted cyberattack on the emergency phone lines, similar to the successful ransomware strike on the city in 2018, that raised suspicions. City officials, working alongside the FBI, were then able to identify that the city had become the victim of a RobbinHood ransomware attack.
The malicious hackers used RobbinHood to lock government officials out of all operating systems, holding all data hostage and rendering all systems and applications inaccessible. Two days after the initial attack, hackers posted a ransom request addressing the new Mayor, which demanded three Bitcoin per locked system or 13 Bitcoin (up to $76,000) for all systems to regain access. The request added that the ransom would increase by $10,000 each day from May 11 if no payment was made and that all compromised data would be permanently erased.
What is RobbinHood?
Robbinhood is a sophisticated type of ransomware that echoes more sophisticated methods seen in advanced ransomware types, such as Ryuk, Locky, and Petya ransomware by entering via hacked Remote Desktop Protocols (RDPs). This enables hackers to sever the connection between your associated hardware and network, eradicate your cybersecurity defenses (as well as any recovery software), and restrict access to all files and folders via encryption. This will make any potential recovery of confidential data impossible unless a ransom is paid in exchange for a decryption key.
How did the city respond?
When Mayor Young was notified that the city had become subject to attack, he released an official statement highlighting that a considerable number of the city’s services had been temporarily replaced with manual processes, and that many government services were unavailable, such as the city’s card payment system that allowed citizens to pay property taxes and parking charges. However, he also stated that the city was working alongside the FBI and technology experts, such as Microsoft, to get all systems back up and running. He acknowledged that it could take weeks or even months to remedy, as several systems would need rebuilding.
For two weeks, city employees were unable to access their email system. Hence, they created Gmail accounts to counteract the impact and enable citizens to pay for essential services, such as water bills. Unfortunately, the creation of mass accounts alerted Google’s spam systems and led to these accounts being blocked as well – upon being notified, Google unblocked these accounts.
The National Security Agency (NSA) was widely thought to be responsible for the ransomware attack, as it was believed that hackers had used the exploit tool EternalBlue (previously created by the NSA) to penetrate Windows systems. The tool was stolen and leaked by the Shadow Brokers in April 2017, becoming a popular tool in new and developing ransomware, and was therefore thought to be the access point for the attack.
National Security Agency (NSA) Senior Advisor to the Director for Cybersecurity Strategy, Rob Joyce, responded that the focus on EternalBlue was “short-sighted” – Microsoft sent patches to counter EternalBlue, and Baltimore had over two years to remedy this and any other weaknesses within its IT infrastructure. Examining the attack further, malware analyst Joe Stewart determined that there was, in fact, no trace of the EternalBlue exploit in the ransomware code but that it could have aided in the propagation of the malware.
Did Baltimore County pay the ransom?
Baltimore County did not pay the ransom, despite increased pressures such as hackers releasing sensitive data related to city employees and additional threats to release further information. Most of the city’s operating systems were running again by mid-June, while several systems, such as those related to e-permits, real estate, and employee accounts, were fully operational by the end of that month.
Mayor Young released a video statement on Twitter in response to public criticism and calls for the ransom to be paid. He stated:
“First, we’ve been advised by both the Secret Service and the FBI not to pay the ransom. Second, that’s just not the way we operate. We won’t reward criminal behavior. If we paid the ransom, there is no guarantee they can or will unlock our system.”
“There’s no way of tracking the payment or even being able to confirm who we are paying the money to. Because of the way they requested payment, there’s no way of knowing if they are leaving other malware on our system to hold us for ransom again in the future. Ultimately, we would still have to take all the steps we have taken to ensure a safe and secure environment. I’m confident we have taken the best course of action.”
The Mayor's Deputy Chief of Staff for Operations, Sheryl Goldstein, provided additional comment:
“The federal investigators have advised us not to pay the ransom. The data shows you have less than a 50-50 chance of getting your data back if you pay the ransom, and, even if you pay the ransom, you still have to go within your system and make sure they’re out of it. You couldn’t just bring it back up and believe they were gone, and so we would be bearing much of these costs regardless.“
What were the consequences of the Baltimore ransomware attack?
The Baltimore city ransomware attack 2019 lasted about a month and cost up to $18.2 million to resolve service disruptions, including remediation, new hardware, and lost or deferred revenue. 35% of the 10,000+ municipal employees regained access to their accounts in this time – this reached up to 95% in the following months.
Similar to the Atlanta ransomware attack in 2018, the Baltimore ransomware attack affected government departments, utility, and parking services, all of which had to be processed manually.
Unlike the ransomware attack on the NHS in the UK, which significantly impacted mission-critical services, Baltimore’s emergency departments were not directly affected by the RobbinHood attack, and remained in operation. However, it did impact the Baltimore city real estate market, with employees unable to complete property sales until the end of June.
As Baltimore’s second ransomware attack in about 15 months, the city came under fire but has since introduced preventative measures to ensure another attack does not occur. These include the establishment of a new cybersecurity committee, fronted by Council President Brandon Scott. The committee worked on conducting a thorough review of the city’s vulnerabilities and the response to the attack in order to introduce new policies, practices, and technologies to develop a robust IT infrastructure.
Baltimore County Public Schools attack 2020
Baltimore County Public Schools became the victim of a third ransomware attack on the city on November 24, 2020, two days before Thanksgiving. Despite two previous high-profile ransomware events in the city, measures to protect the vast amounts of sensitive data were weak. All confidential data and associated school systems were encrypted, impacting “every aspect of the Baltimore County Public School system.”
Despite having backups for existing data, the cost of recovery is estimated to have surpassed $8 million. Over 9,000 staff laptops were reimaged (the hard drives were wiped, and new operating systems were installed) following the attack, as well as student devices. Some data or lesson plans were lost forever, and the school network had to be completely rebuilt.
The event caused widespread disruptions to the remote learning capabilities of up to 115,000 students, which were essential at that point due to the COVID-19 pandemic. The long-term shift to remote and hybrid working has led to an increasing number of endpoints, causing additional cybersecurity risks.
While it is unconfirmed whether a ransom was paid, Baltimore County Public Schools has committed to:
- Rebuilding and fortifying its IT infrastructure
- Introducing new processes, such as Multi Factor Authentication (MFA) for all staff
- Installing next-generation firewalls and enhanced device protections
However, in 2021, President of the Teachers Association of Baltimore County, Cindy Sexton, noted that the disruption remained unresolved for certain systems, including the institution’s payroll systems – many staff were overpaid, underpaid, or owed backdated payments.
What can be learned from the Baltimore ransomware attacks?
Although the required ransom was far less than the cost taken to recover from the cyberattack, Mayor Young concisely highlighted several reasons why a ransom should not be paid:
- Hackers should not be rewarded for criminal behavior, as this could open the city to further ransomware attacks in the future
- There is no guarantee that your systems and associated data will be unlocked if payment is made
The Baltimore ransomware attacks highlight the dangers of outdated security software and IT practices. Ransomware can cost your business thousands or even millions to remedy, not to mention the reputational damage. It is vital to take proactive action to update your cybersecurity processes, including:
Let Avast protect your business from ransomware attacks
Take essential security measures to defend and protect your business against the threat of ransomware attacks. Invest in business antivirus software that can secure Windows servers, patch vulnerabilities, and detect and prevent malicious activity across your networks.