The city of Baltimore was hit with a “very aggressive” new variant of the RobbinHood ransomware on Tuesday, May 8, the second time in 14 months it has been hobbled by cyber extortionists. MSSP Alert initially reported on the attack on Tuesday, May 7.
New Baltimore Mayor Bernard (“Jack”) Young
MSSP Alert is trying to determine (a) if Baltimore leveraged MSSPs ahead of the attack and (b) whether the city has hired MSSP-type partners to assist the recovery, cleanup and investigation.
Some city departments, including the police, inspector general’s office, and the city’s departments of transportation and public works reported problems with email and phone systems. While the attack didn’t affect the city’s police, fire or emergency services it did prompt officials to temporarily suspend public works customer support, billing for its parks department, overdue water bills along with some other minor services, according to reports.
Most of the city’s servers have been shut down as a precautionary measure, city officials said, to impede the virus’ spread. As of Wednesday afternoon, all city workers were back on the job although the city’s email server and some of its phone service remained offline.
Baltimore City Ransomware Attack: Hacker Demands
The hackers demanded 13 Bitcoin, or nearly $80,000, to restore encrypted systems. City officials have thus far refused to pay the ransom. No personal data has been involved in the hijack, said Baltimore City Council President Brandon Scott in a statement Tuesday night. “As of now, we have no proof that any personal data has left the system,” he said.
In a press conference, newly appointed Baltimore Mayor Bernard Young said he didn’t know how long the affected systems would be down nor did he specify how the malware had entered the city’s network. “There is a backup system with the IT department,” he said, “but we can’t just go and restore because we don’t know how far back the virus goes. So I don’t want people to think that Baltimore doesn’t have a backup.” For the time being, city workers will have to perform tasks manually, Young said. (via the Baltimore Sun)
City Chief Information Officer Frank Johnson said the city’s security infrastructure has received numerous “clean bills of health. We have a very good capability. Unfortunately, it’s a race between bad actors and the cyber security industry.”
In March, 2018, Baltimore’s 911 and 311 systems were hijacked when hackers exploited the city’s network firewall in a maintenance upgrade.
“I don’t care what kind of systems you put in place, they always can find a way to infect your system,” Young said. “I know we’re going to do all we can to solve this issue and put up other protections.”
In the meantime, if anyone wants to reach the city, “the best way to do it is to pick up the plain, old telephone and give us a call,” said Johnson.
RobbinHood Ransomware Attacks: FBI Investigation
Federal investigators are working with local FBI agents to cross check the Baltimore Robbinhood attack against similar hijacks, the Baltimore Sun reported. The city of Greenville, North Carolina, reported last month that it had been infected by a variant of the Robbinhood ransomware.