Network Security Security Technology

What really happened in the Baltimore ransomware attack?

What really happened in the Baltimore ransomware attack?

It’s been greater than a month since a nasty ransomware an infection hobbled the Metropolis of Baltimore, disrupting virtually each facet of the town’s operations, together with police communications, courtroom techniques and the native property market.

And it’s not over but.

Baltimore continues to be recovering from the assault, and officers say it might be a number of extra months earlier than all techniques are absolutely restored. Metropolis staff say the restoration might value no less than $18 million. However they’ve been mum about a number of the most vital particulars, like who could be behind the assault and what knowledge has been misplaced.

Right here’s what we all know to date.

When did the Baltimore ransomware assault occur?

The assault occurred through the early hours of Tuesday, Might 7, 2019.

The primary clues surfaced shortly earlier than 9 a.m., when Baltimore’s Division of Public Works introduced on Twitter that “E mail service is down.” By 1 p.m., the division stated its telephone strains had additionally been taken down.

Shortly after 2 p.m., Baltimore Mayor Bernard Younger was one of many first officers to verify the severity of the assault, writing on Twitter, “Baltimore Metropolis core important providers (police, hearth, EMS and 311) are nonetheless operational however it has been decided that the town’s community has been contaminated with a ransomware virus. Metropolis staff are working diligently to find out the supply and extent of the an infection.”

Younger stated there was no proof that any private knowledge had been stolen by the attackers, however “Out of an abundance of precaution, the town has shut down nearly all of its servers.”

A few of these servers nonetheless stay offline at this time.


What was the influence?

Whereas important providers like police have been “nonetheless operational,” almost each division was disrupted by the assault.

With nearly all of servers shut down, metropolis staff misplaced entry to e mail; courtroom data couldn’t be accessed; residents couldn’t pay payments, parking tickets or taxes (on-line or in individual); and non-emergency police communications methods have been knocked offline.

The assault additionally briefly froze the Baltimore property market. Property consumers and sellers have been unable to entry certificates from the town displaying that properties didn’t have liens. And with out these liens, title insurance coverage corporations have been unwilling to maneuver ahead with actual property transactions.

Regulation enforcement personnel additionally couldn’t talk with prosecutors, delaying courtroom proceedings.


What’s the standing now?

Greater than a month later, the town continues to be struggling to revive its methods. E-mail has been solely partially restored for some departments. A message on the prime of the town’s web site reads: “The Metropolis of Baltimore is at present unable to ship or obtain e mail.”

Metropolis staff are slowly being allowed again into their computer systems. On a FAQ web page, the town states that it’s specializing in restoring probably the most important departments first: “We’re prioritizing public security businesses and are engaged on different businesses concurrently. A pilot was efficiently carried out and we’re rolling that answer out citywide. That is an ongoing course of in our efforts to revive our community and purposes in a protected and safe method.”


RobbinHood strikes once more

Because the an infection unfold, metropolis computer systems displayed a ransom notice figuring out the ransomware as Robbinhood, in accordance with The Baltimore Solar. If true, that might make it the identical pressure of ransomware that disrupted the Metropolis of Greenville, North Carolina, a month earlier. In that assault, nearly all of Greenville’s 800 computer systems have been contaminated and wanted to be restored individually from backups.

In a ransomware assault, attackers use malware to encrypt pc information and demand the victims pay a ransom to revive them. With out the decryption key, the information sometimes can’t be accessed once more. However even when victims pay the ransom, there’s no assure that they’ll truly obtain the decryption key as promised.


A $76,000 ransom demand

Within the Baltimore ransomware assault, hackers demanded 13 Bitcoin, valued at roughly $76,280.

In typical ransomware type, the attackers upped the stakes by threatening to extend the ransom in 4 days. And in the event that they didn’t obtain cost inside 10 days, the information can be completely deleted.

In response to the Solar, the ransom word learn: “We gained’t speak extra, all we all know is MONEY! Hurry up! Tik Tak, Tik Tak, Tik Tak!”


Throughout a metropolis council assembly final week, solicitor Andre Davis stated the town “completely examined” the prospects of paying the ransom “on the highest ranges of metropolis authorities with specialists, with regulation enforcement.”

However finally, the town refused.


An $18 million restoration

With knowledge nonetheless encrypted and lots of computer systems inaccessible, the town has no selection however to slog via an extended, tedious restoration. It gained’t be low cost.

The town’s price range workplace has offered a preliminary estimate of $18.2 million, however the last value of the assault might find yourself a lot greater. The town has already spent $5 million on restoration efforts to date. And it reportedly has no insurance coverage to cowl the prices of a cyberattack, in contrast to the town of Atlanta, which confronted its personal $17+ million ransomware assault in 2018.


Why didn’t Baltimore simply pay up?

That’s the million-dollar query (or moderately the $18 million query).

Baltimore probably made the suitable selection in not paying the ransom.

The ransomware market has proliferated over the previous few years exactly as a result of victims are intimidated into paying the ransom. Attackers make their ransom demand reasonably priced, in order that it appears a nominal worth to pay compared to dropping knowledge endlessly (or present process a prolonged restoration). However there’s no assure that the information will probably be restored, and paying the ransom solely serves to make these crimes a worthwhile enterprise for attackers.

Baltimore officers have been specific concerning the explanation why they didn’t pay up. On a FAQ web page concerning the assault, the town explains:

·      There isn’t any assure [the attackers] can or will unlock our system

·      There isn’t any method of monitoring the cost and even with the ability to affirm who we’re paying the cash to, due to the best way they requested the cost

·      There isn’t a approach of figuring out if [the attackers] are leaving different malware on our system to carry us for ransom once more sooner or later


Second assault in 2 years

This isn’t the primary time Baltimore has skilled a ransomware assault.

In March 2018—simply 14 months earlier—the town’s 9-1-1 dispatch system was “hacked” for 17 hours in what was later revealed to be a ransomware assault. Fortuitously, the dispatch was not taken offline. Emergency 9-1-1 calls might nonetheless be made. Nevertheless, it disrupted the communication between dispatchers and responders. Dispatchers had to make use of a extra guide course of to relay particulars to responders, as an alternative of transmitting it electronically.

In response to The Baltimore Solar, the town’s pc safety chief admitted final yr that her division’s finances was “stretched skinny” after the assault on the 9-1-1 system. This led to discussions about the necessity to “improve firewall defenses on the perimeter of the community.”


A tumultuous time for Baltimore

Baltimore’s ransomware assault comes on the heels of a serious shakeup amongst metropolis authorities. Mayor Younger had solely been in workplace for a couple of days, after former mayor Catherine Pugh was pressured to resign amidst a corruption investigation.

Ars Technica additionally studies that the town’s IT division has confronted close to fixed turnover within the final a number of years, notably amongst management. 4 consecutive chief info officers have been fired or pressured to resign over a interval of 5 years.


Everlasting (Blue) confusion

Within the wake of the assault, there have been conflicting reviews concerning the nature of the malware and the way it infiltrated the town’s community. Some organizations have reported that the attackers used an exploit often known as EternalBlue – the identical device that led to the worldwide WannaCry and NotPetya assaults of 2017.

EternalBlue was initially an NSA-developed software that was able to infiltrating weak Home windows techniques. The device was leaked in 2017 after which promptly leveraged by hackers to ship ransomware to a whole lot of hundreds of computer systems around the globe.

The New York Occasions reported on Might 25 that EternalBlue was behind the Baltimore ransomware assault. This led to metropolis officers demanding extra federal help to assist pay for the restoration. Nevertheless, the NSA later denied that EternalBlue had been used within the assault, at the very least not initially.

In line with the Occasions, cybersecurity specialists now consider that “hackers broke in via an open server in Baltimore’s community, put in a again door after which used EternalBlue to maneuver throughout the town’s computer systems looking for beneficial servers to contaminate.”

Some information organizations have additionally reported that the preliminary an infection was brought on by a phishing assault on a metropolis worker – the most typical technique of ransomware supply.


Unanswered questions

There are nonetheless many parts to this assault that we don’t find out about. Baltimore has been cooperating with an FBI investigation into the origins of the assault, however officers haven’t offered many specifics.

For instance, we don’t know who may need been behind the assault, whether or not it’s a recognized hacking group, state-sponsored cybercriminals or a person hacker.

We additionally don’t know a lot about Baltimore’s knowledge backup methods, which might be the town’s most crucial device for recovering misplaced information. In a ransomware assault, organizations can use knowledge backups to revert to a clear restoration level earlier than the an infection occurred. This successfully removes the menace whereas additionally restoring knowledge again to regular.

Mayor Younger has stated the town does have backups, however we don’t know what number of, the place they have been carried out or whether or not these backups are viable.

Metropolis officers have additionally refused to touch upon whether or not an official catastrophe restoration plan was in place. If there wasn’t, the town might have a really lengthy restoration forward of them.


Get extra info

For extra info on how one can shield your essential knowledge from ransomware and different threats, request a free demo of BC/DR options from Datto. Contact our enterprise continuity specialists at (646) 395-1170 or e-mail [email protected].

About the author