Lessons from Baltimore: The City Government Brought to its Knees by Ransomware
Two years after WannaCry caused global havoc, it would be easy to think the online world has moved on from ransomware, but the city of Baltimore has learned this is not the case – with devastating consequences
At the time of writing, the US city of Baltimore has been plagued by a devastating ransomware attack for over three weeks, with no clear end in sight.
On 7 May, hackers gained access to the city’s servers, locking down Baltimore’s systems and leaving the local government without access to email or online payments. In return, the city has been asked to pay 13 bitcoins, equivalent to around $100,000 (£79,000), which it has so far refused to do.
Representatives from the Secret Service and FBI have been called in, while cybersecurity experts work diligently to provide the city with some semblance of working online infrastructure, a process that is likely to take months.
Meanwhile, the impact on the city’s residents has been significant. 1,500 home sales were delayed for two weeks until a manual workaround for the notification of unpaid liens could be put in place. Residents have been unable to pay water bills, property taxes and parking tickets. And a host of local concerns have been disrupted as citizens have struggled to communicate with their government.
“The attack against Baltimore City Government has once again highlighted the dangerous power of ransomware,” said Andrea Carcano, CPO of Nozomi Networks.
“The attack has brought operations to a halt and it will be sometime before the government realises the exact extent of the damage caused.”
RobbinHood highlights that ransomware is still a threat
The ransomware used in the attack is known as RobbinHood, a relatively new strain of malware that like WannaCry locks down access to infected systems. The only way back in is with a decryption key, which only the attackers have, and which they are unwilling to provide without payment.
Cybersecurity experts will not be able to gain access to the systems without it, and so are faced with rebuilding replacement systems using any backups that are available.
For businesses and local governments alike, it is a stark reminder not only of how dangerous ransomware is, but how prevalent it remains.
“Ransomware attacks are still strong, accounting for 24% of the malware incidents analysed and ranking #2 in most-used malware varieties according to 2019 Verizon Data Breach Investigations Report,” said Anjola Adeniyi, technical leader of EMEA at Securonix.
For the Baltimore government, this is particularly devastating as it is not the first attack the city has faced, leading many experts to question how secure the its systems are.
“Ransomware typically exploits known software vulnerabilities, and organisations that haven’t done a thorough job of patching regularly tend to be victims,” said Adeniyi.
“Surely a second ransomware infection in two years undoubtedly raises questions.”
Lessons from Baltimore for businesses
Businesses, like governments, are a popular target for ransomware attacks. And as the Baltimore ransomware attack demonstrates, they can be extremely expensive both in terms of the cost of system rebuilding and the loss of productivity.
However, the advice is still not to pay, as not only is there no guarantee systems will be returned to normal, but even if they are the attackers are more likely to attack again, and may even leave malware in the company’s systems to make this easier in the future.
“When it comes to ransomware, prevention is always better than cure as, if infected, it is never advisable to pay the ransom as it is not guaranteed that the criminals will honour the agreement and restore systems/data,” said Carcano.
Instead, organisations need to place focus on preventing attacks from happening in the first place, in part by keeping systems up-to-date, but also with robust training to ensure employees don’t prove to be a weak link.
“It is never advisable to pay the ransom as it is not guaranteed that the criminals will honour the agreement.”
There are also technologies available to provide continuous monitoring, allowing companies to identify and stop malware in its tracks before it can fully lockdown systems.
“Organisations need tools that will help them immediately identify when something ambiguous is happening within the infrastructure,” he said.
“Applying artificial intelligence and machine learning for real-time detection and response, organisations can monitor for malware to rapidly discover and act to remove malicious code and the risks posed before harm is done.”