Ransomware, Americas, Content

Baltimore Ransomware Attack Involved NSA’s EternalBlue Hacker Tools: Report

Hackers used the potent EternalBlue malware stolen from the National Security Agency (NSA) in 2017 to cripple Baltimore’s city government, the New York Times reported on Saturday, May 25, 2019.

Quick refresher: In 2017, the clandestine Shadow Brokers dumped the NSA’s most coveted cyber attack weapons on the open market. Some of those cyber tools, included EternalBlue, have since been co-opted by state-backed hackers in China, North Korea and Russia. EternalBlue, which exploits a vulnerability in Microsoft’s Windows XP and Vista operating systems, was behind the devastating WannCry and the NonPetya assaults in 2017. Now it’s city and state governments, such as Cleveland, Atlanta, Albany, NY and others, that are the newest ransomware targets.

In the Baltimore attack, which occurred on May 7, the cyber kidnappers locked up city government systems and demanded about $100,000 in Bitcoin to unlock the hijacked files. While the city has restored some systems and created workarounds for others, the attack would have been far less devastating had it not sprung from EternalBlue, the Times reported, based on expert opinions.

Baltimore Seeks Disaster Recovery Financial Assistance

With the city still struggling to recover, City Council President Brandon Scott has asked Maryland Governor Larry Hogan to seek a federal emergency and disaster declaration, which could gain Baltimore federal reimbursement for damages, costs and infrastructure repairs related to the attack, local CBS outlet WJZ reported. “I’ve reached out to Governor Hogan’s Office today to urge his leadership and cooperation in seeking Federal Emergency & Disaster Declaration for this incident,” Scott said. “Given the new information and circumstances it’s even more clear that the federal government needs to have a larger role in supporting the City’s recovery, including federal reimbursement for damages.”

A seemingly non-committal Gov. Hogan said the state will “continue to work closely with city leaders, including leveraging both state and federal resources, to help restore affected systems,” according to the WJZ report.

Meanwhile, Baltimore has created a new review board to audit its cybersecurity response and preparation. The Committee on Cybersecurity and Emergency Preparedness, which will be chaired by Council members Eric Costello and Isaac Yitzy Schleifer, is tasked with examining the City's “coordination of cybersecurity efforts, including the Administration's response to the cybersecurity attack and testimony from cybersecurity experts,” Scott said. He called the ransomware attack against the City’s government a “crisis of the utmost urgency.”

The Blow by Blow

Among the key updates and takeaways so far...

Communication breakdown. With Baltimore’s network, infrastructure inoperative and normal communications channels addled, the mayor, city council members and many employees set up gmail accounts as a workaround to conduct city business. Sounds simple enough, but Google’s system shut the accounts down. Multiple consumer accounts tied to the same network raised a red flag, Google reportedly said. The search giant has since restored those gmail accounts.

Here’s the latest on what City officials are saying (via various media reports):

  • Baltimore chief financial officer Henry Raymond. Property taxes are due at the end of June but the systems that handle processing and payments aren’t fully recovered. The city is putting together a “contingency plan” for dealing with the problem, Raymond said. In addition, Raymond acknowledged that the city has been slow to pay some contractors owing to the ransomware attack.
  • Mayor Bernard Young. So far, Baltimore officials have refused to pay the cyber kidnapper’s demands of roughly $100,000 to unlock the system. “There’s no guarantee that when you pay the ransom you’re going to get your system back,” Young said a week ago. He doesn’t yet know how much money the city has lost or has spent trying to restore its systems.
  • Baltimore City Solicitor Andre Davis. City officials have compared notes with Atlanta officials related to that city's similar ransomware attack in 2018, Davis said. “The victim is out of ICU, is healing nicely, there is a long course of physical therapy ahead of the victim, but we’ll be back, and we’ll be back stronger,” Davis said of the city’s computer system.
  • Baltimore City Chief Digital Officer Frank Johnson. The city doesn’t know when its systems will return to normal. “Anybody who is in this business will tell you that as you learn more, those plans change by the minute, they are incredibly fluid,” Johnson said.

The city has not disclosed whether an MSSP relationship was in place ahead of the attacks.

Here's more of MSSP Alert's wall-to-wall coverage of the Baltimore ransomware attack.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.