Ransomware, Americas, Content, Vertical markets

Baltimore Ransomware Attack: RobbinHood Malware Recovery Continues

The city of Baltimore was hit with a “very aggressive” new variant of the RobbinHood ransomware on Tuesday, May 8, the second time in 14 months it has been hobbled by cyber extortionists. MSSP Alert initially reported on the attack on Tuesday, May 7.

New Baltimore Mayor Bernard Young
New Baltimore Mayor Bernard ("Jack") Young

MSSP Alert is trying to determine (a) if Baltimore leveraged MSSPs ahead of the attack and (b) whether the city has hired MSSP-type partners to assist the recovery, cleanup and investigation.

Some city departments, including the police, inspector general’s office, and the city's departments of transportation and public works reported problems with email and phone systems. While the attack didn’t affect the city’s police, fire or emergency services it did prompt officials to temporarily suspend public works customer support, billing for its parks department, overdue water bills along with some other minor services, according to reports.

Most of the city’s servers have been shut down as a precautionary measure, city officials said, to impede the virus' spread. As of Wednesday afternoon, all city workers were back on the job although the city's email server and some of its phone service remained offline.

Baltimore City Ransomware Attack: Hacker Demands

The hackers demanded 13 Bitcoin, or nearly $80,000, to restore encrypted systems. City officials have thus far refused to pay the ransom. No personal data has been involved in the hijack, said Baltimore City Council President Brandon Scott in a statement Tuesday night. “As of now, we have no proof that any personal data has left the system,” he said.

In a press conference, newly appointed Baltimore Mayor Bernard Young said he didn’t know how long the affected systems would be down nor did he specify how the malware had entered the city's network. "There is a backup system with the IT department," he said, "but we can't just go and restore because we don’t know how far back the virus goes. So I don’t want people to think that Baltimore doesn’t have a backup." For the time being, city workers will have to perform tasks manually, Young said. (via the Baltimore Sun)

Baltimore CIO Frank Johnson

City Chief Information Officer Frank Johnson said the city’s security infrastructure has received numerous “clean bills of health. We have a very good capability. Unfortunately, it's a race between bad actors and the cyber security industry."

In March, 2018, Baltimore’s 911 and 311 systems were hijacked when hackers exploited the city’s network firewall in a maintenance upgrade.

“I don’t care what kind of systems you put in place, they always can find a way to infect your system,” Young said. “I know we’re going to do all we can to solve this issue and put up other protections.”

In the meantime, if anyone wants to reach the city, “the best way to do it is to pick up the plain, old telephone and give us a call,” said Johnson.

RobbinHood Ransomware Attacks: FBI Investigation

Federal investigators are working with local FBI agents to cross check the Baltimore Robbinhood attack against similar hijacks, the Baltimore Sun reported. The city of Greenville, North Carolina, reported last month that it had been infected by a variant of the Robbinhood ransomware.

Update: May 9, 6 pm ET (via Baltimore Sun)

Here's a partial list of what's working and what's not in Baltimore city government following the RobbinHood ransomware attack:

  • 311 services: Call center operators using laptops not connected to the city’s network.
  • Baltimore City Council: City government emails and voicemail down.
  • Baltimore Police Department: 911 services working. Baltimore police email not working.
  • Board of Elections: Emails and website down.
  • Department of Public Works: Customer support and services down.
  • Recreation and Parks: Services such as online payment, permits, program registration and service requests unavailable.
  • Baltimore City State's Attorney’s Office: Employees working offline.
  • Legislative Reference: Email down, no access to computers.
  • Archives and Records Management: No email access.
  • Office of Sustainability: No emails or voicemails.
  • Department of Transportation: Access to parking fines database disabled.
  • Office of Promotion and the Arts: No internet or email but website running as normal.
  • Office of the Inspector General: Hotline calls accepted.

Malware and Ransomware Attacks Target Cities, Government Infrastructure

In the past year, a growing number of ransomware and malware attacks have hit municipal IT operations, government and transportation systems in recent months, including:

April 2019: Cleveland Hopkins International Airport suffered a ransomware attack.
April 2019: Augusta, Maine, suffered a highly targeted malware attack that froze the city’s entire network and forced the city center to close.
April 2019: Hackers stole roughly $498,000 from the city of Tallahassee, Florida’s employee payroll system.
March 2019: Albany, New York, suffered a ransomware attack.
March 2019: Jackson County, Georgia officials paid cybercriminals $400,000 after a cyberattack shut down the county’s computer systems.
March 2018: Atlanta, Georgia suffered a major ransomware attack.
February 2018: Colorado Department of Transportation (CDOT) employee computers temporarily were shut down due to a SamSam ransomware virus cyberattack.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.