How the city of Baltimore has been crippled by a ransomware attack—and it could take months to recover
Visitors to Baltimore’s government website this week saw a banner message that might be jarring for a city that’s taken pride in its high-tech “smart city” initiatives.
“The City of Baltimore is currently unable to send or receive email,” the banner read. “If you need assistance, please call the department you wish to contact.”
That comes after the city’s computer network was struck by a massive ransomware attack that Mayor Bernard “Jack” Young said on May 17 could take months to fully recover from.
“We don’t have any [recovery] date as of now,” says James E. Bentley II, press secretary in the mayor’s office. “They’re just working around the clock to secure the environment, and then once they are certain that they have a secure environment, they’re going to start working incrementally to bring applications and email back online.”
The hack, first discovered on May 7, also interfered with real estate sales in the city since officials couldn’t verify that sellers didn’t have outstanding liens on their properties. The city has since introduced a new procedure effectively letting sales resume if sellers pledge to pay any outstanding debts on their properties. The attack also shuttered a “bad batch” warning system that lets drug users and healthcare workers know when there are especially deadly drugs being sold in the area, The Baltimore Sun reports, and made it impossible for residents to pay water bills and parking tickets online.
The city government has so far refused to pay a 13-Bitcoin, or roughly $100,000, ransom demand that the attackers have claimed would let the city unlock files encrypted by the attack, which used a malware variant nicknamed RobinHood to encrypt city data.
It’s not the first time government computers have been struck by ransomware—Albany, New York, suffered brief digital disruptions in April after a similar attack, and Atlanta reportedly took months and spent millions of dollars to recover from such an attack last year, allegedly the work of Iranian hackers. And experts warn that such hacks on government systems could continue, with municipalities in particular often struggling to keep up with the demands of cybersecurity.
“Security budgets overall are being cut for a lot of state and local governments, which means that they tend to be more susceptible to these kinds of attacks because they don’t have the budget for protecting themselves that say a bank does or a hospital does or a manufacturing plant does,” said Allan Liska, an intel analyst at security firm Recorded Future, which recently published a report on ransomware and government computers.
Online criminals don’t always set out to target local agencies in particular, but it’s possible that they see such targets as potentially lucrative due to the publicity hacks on them, he suggests in the report. While he estimates that government agencies are less likely to pay ransoms than other targets, it’s not unheard of for them to do so—Newark, New Jersey, reportedly paid about $30,000 in ransom after its computers were allegedly hijacked in 2017 by the same men accused in the Atlanta attack. Liska estimated in his report that there were 38 reported ransomware attacks on city and state governments in 2017, 53 in 2018, and 21 in the first three months of 2019.
“We’re on pace to exceed last year’s,” he warns.
What cities should be doing
Ideally, governments should take steps to secure their networks, like limiting what devices can connect to internal systems and regulating which files users and devices have access to, says Francis Dinha, CEO and cofounder of OpenVPN. That will help ensure that even if a device gets infected by malware, it can’t inflict widespread damage on agency data, he says.
Keeping secure backups walled off from where attackers could reach is also critical, says Thomas MacLellan, director of policy and government affairs at Symantec, the security firm. While some online criminals seem to have shifted to other types of attacks, like so-called formjacking hacks that steal credit card data when people pay for things online, ransomware is still very much a concern, he says. And smaller cities in particular don’t always have the resources to keep their networks safe.
“Sometimes they do, sometimes they don’t,” he says. “The bigger cities—New York, L.A., and so forth—really have a significant leg up.”
Some states have also set up systems for state and local agencies to share security information and practices, says Liska, helping cities and towns stay ahead of threats. Cities also commonly work with agencies like the Federal Bureau of Investigation, as Young has said Baltimore is doing, after they’ve been hacked. Ideally, experts say, high-profile attacks like the one in Baltimore will spur other governments to take steps to keep their systems safe.
“I think this is a wake-up call, obviously,” says Dinha. “A lot of these hackers and bad actors are getting smarter and smarter.”