The Curious Case of the Baltimore Ransomware Attack: What You Need to Know
Hackers Are Targeting Governmental Agencies. Learn How to Stay One Step Ahead.
Last updated on June 8, 2022
Nowadays, cybercriminals are becoming increasingly hooked on big game hunting. Public institutions ranging from educational facilities to governmental agencies seem to be their favorite targets. One of the most notable instances of the latter in recent history was the Baltimore ransomware attack.
Even though the attack took place in May 2019, there is a lot still to be learned from the Baltimore ransomware case today. In this article, I will present a timeline of the events that unfolded in the wake of the infection, as well as answer the most pressing question in any situation like this: did Baltimore city pay the ransom?
Plus, if you want to learn how to prevent a ransomware attack in your institution, keep on reading. I’ll get into that as well.
Baltimore Ransomware Attack: A Timeline
The Baltimore ransomware attack wasn’t RobbinHood’s first rodeo with local government. On April 10 of the same year, hackers targeted the North American city of Greenville, North Carolina. A police officer was the first to ring the alarm on the infection, which prompted the IT team to take most servers offline. Officials announced the incident on the town’s official Facebook page.
In Baltimore, the infection gained more traction in the press as it coincided with a tricky political situation for the city. At the beginning of May, Mayor Catherine Pugh stepped down after a three-year stint at the helm of the administration.
Pugh’s resignation came as no surprise, as she was in the midst of a scandal that saw her lend political favors to several organizations in exchange for the wholesale purchase of her self-published children’s book. This resulted in criminal charges for the former Mayor, who was later on indicted on eleven counts of fraud, tax evasion, conspiracy, and other related transgressions in November 2019.
By February 2020, Catherine Pugh had been sentenced to three years in prison and another three on probation. Bernard C. Young was appointed to replace her in on May 9, 2019, two days after the original ransomware infection and one week after her resignation.
Below, I have comprised a timeline of events reported on for two months by reputable Baltimore-based and country-wide publications alike. In the following lines, I will go over the specific moment of infection, as well as the aftermath of the attack and the lengthy restoration process that followed. This incident was not without its fair share of controversy, so prepare for some drama as well.
As per the Baltimore Sun, the first signs indicating that the city was Baltimore was the victim of a cyberattack appeared on the morning of May 7th, at 8:54 a.m. It was then that the Department of Public Works tweeted about its email service being down. Later the same day, the same institution announced the public that its phone lines had also been affected.
The Department of Transportation was the second organization to suffer damages that day at one of its impound lots. There, employees found themselves unable to process vehicles. What is more, most of the city’s departments found their email systems unresponsive.
It soon became clear that another Baltimore ransomware attack was afoot after a similar attempt took emergency phone lines offline in 2018. Fortunately, 911 and 311 services were not affected this time around. With assistance from the local FBI unit, city investigators managed to quarantine the strain, which they identified as the RobbinHood ransomware.
Nonetheless, the hackers got a hold of the city’s entire online infrastructure and held it for ransom. They demanded that the city pay 3 Bitcoin for each system to be unlocked or 13 Bitcoin for the whole lot of them. This amounted to approximately $76,280 in total.
The note also mentioned that the ransom will be raised by $10,000 each day starting May 11. Moreover, the cybercriminals behind the operation threatened that the city would lose all its data permanently within ten days of the initial attack.
Newcomer Mayor Bernard C. Young came out with an official statement, informing local media that all city employees were forced to replace their computerized activities with manual processes. This gave Baltimore’s IT teams the necessary framework to fix the problem offline. City tech experts worked with the FBI, Microsoft, and other organizations to mitigate the issue.
However, the city’s official card payment system and debt checking application were also rendered inaccessible in the meantime. This reverted property tax payment, as well as the imbursement of other fees back to the (frustrating) bureaucratic times of pen and paper. During this timeframe, citizens had to send certified cheques or money orders, then match them to physical copies.
A little over one week later than the initial operation, the full extent of the damage inflicted by the hack was made known to the public. According to a list put together by the Baltimore Sun, the following state agencies and departments were impaired by the RobbinHood ransomware attack:
Baltimore City Council
Board of Elections
Baltimore Police Department
Department of Transportation
Department of Public Works
Department of Finance
Recreation and Parks
Archives and Records Management
Office of Sustainability
Department of Housing and Community Development
Baltimore Animal Rescue and Care Shelter
Baltimore Development Corporation
Board of Municipal and Zoning Appeals
Office of Promotion and the Arts
Nonetheless, on the same day city officials informed residents that it was safe to access local governmental websites.
Mayor Bernard C. Young published an official press release on the Baltimore City website, which unfortunately did not clarify many things about the then-ongoing situation. The insights into the restoration process were minor, but Young did reinforce the fact that the city was working together with the FBI and several competent technology vendors.
As per the Mayor’s statement, a clear timeframe for the repairs couldn’t be set at that point. Depending on the complexity of the damaged systems, the process would take between a few weeks and a few months from case to case.
As previously mentioned, the Baltimore ransomware attack took down not only the city’s servers but also its email system. As a workaround, until things get back to normal, employees created temporary Gmail addresses to carry out their daily tasks. However, many of them seemed to have been disabled on May 22, when several users reported malfunctions.
Fortunately, Google was quick to address complaints, and access to the Gmail accounts was restored shortly. The addresses had been disabled by automated security services, which detected a bulk creation of multiple consumer accounts in the same network.
On May 25, an article published by The New York Times shed light on a very important piece of information. Nicole Perlroth and Scott Shane revealed that the Baltimore ransomware attack was carried out by exploiting the EternalBlue vulnerability.
What was most scandalous about this detail, in particular, was that EternalBlue was initially a tool built by the National Security Agency (NSA) to infiltrate Windows systems. EB was infamously leaked by the Shadow Brokers in April 2017 and became a cyberattacker-favorite.
Following this discovery, Maryland State Senator Chris Van Hollen and Baltimore Congressman C. A. Dutch Ruppersberger started seeking answers from the NSA. The agency was also held publicly accountable for the fact that governmental security tools fell into the hands of malicious third parties.
At a meeting held on May 29, Baltimore’s city budget office estimated that the damages done by the ransomware attack will take approximately $18.2 million to clean up. Until that date, the local administration had already spent $4.6 million on restoration.
The total evaluation of $18.2 million was comprised of those $4.6 million, as well as an additional $5.4 million in mitigation efforts alone. In addition to this, the Bureau of Budget and Management Research for Baltimore director Bob Cenname projected an additional $8.2 million revenue loss from delayed and disrupted tax payments.
On May 30, the National Security Agency officially deflected the blame for the Baltimore ransomware incident through a statement issued by its Senior Advisor to the Director for Cyber Security Strategy, Rob Joyce. In his words, focusing on EternalBlue, a vulnerability that has already been patched, was “shortsighted”.
Instead, Joyce places the blame on city agencies, who he claims should have been more proactive in how they manage their computer networks.
The very same day, the Baltimore Sun obtained and published an undated risk assessment report which advised city officials to close security gaps in their systems as soon as possible. Failing to do so would render Baltimore “a natural target for hackers and a path for more attacks in the system,” such as ransomware incidents.
A new development into the discussion on the NSA’s EternalBlue leak took place on June 3, when malware analyst Joe Stewart declared that he couldn’t identify any traces of the exploit in the Baltimore ransomware code. Instead, he found RobbinHood to be a vanilla strain binary with no particular characteristics.
Together with Eric Sifford, Joe Stewart also uncovered a Twitter account linked to the Baltimore ransomware attacker. Although the initial note stipulated that the city had ten days to pay up or lose all data, the subsequent tweets set a new deadline for June 7.
As specified by an article published on the Baltimore Sun website, hackers released personal documents belonging to city employees. What is more, the actors behind RobbinHood threatened to distribute even more sensitive data if the ransom is not paid.
As of June 3, 2019, the RobbinHood Twitter account has been suspended for abusive language.
On June 4, the Baltimore Fishbowl reported that city officials finally have an update on the situation. The mayor’s deputy chief of staff for operations Sheryl Goldstein, who Young picked to oversee the restoration process, stated that 35% of the over 10,000 municipal employees had regained access to their accounts almost one month after the attack.
In addition to this, Goldstein also detailed that she hopes around 90% will have new and functional login credentials by the end of the same week.
In a conversation with Government Technology, mayoral communications officer James Bentley confirmed that most of the city’s systems were up and running. However, the Baltimore administration still struggled with restoring the water billing and e-permit systems, as well as certain real estate transactions.
Moreover, nearly two weeks since Goldstein’s estimate, only 65% of city employees could access their accounts. Bentley estimated that the number would increase to 95% by the end of that week.
As per an article published on the Baltimore Fishbowl website on June 26, 95% of the city’s employees finally regained access to their work accounts. This development came more than one week after James Bentley’s initial announcement in this direction.
Nonetheless, Baltimore’s IT staff was still working on restoring other systems such as the one for water billing. No estimate for the finalization of these efforts was given at the time.
Did Baltimore City Pay the Ransom?
Although the $76,280 ransom seemed a meager sum when compared to the $18.2 million local administration spent on mitigation, Baltimore city chose not to remunerate the ransom. This decision was heavily criticized by the public at the time.
Nevertheless, city officials chose to hold their ground firmly in the wake of the Baltimore ransomware attack. In a video statement posted to Twitter on June 6, 2019, Mayor Bernard C. Young stated the following:
Why don’t we just pay the ransom? I know a lot of residents have been saying we should’ve just paid the ransom or why don’t we pay the ransom? Well, first, we’ve been advised by both the Secret Service and the FBI not to pay the ransom. Second, that’s just not the way we operate. We won’t reward criminal behavior. If we paid the ransom, there is no guarantee they can or will unlock our system.
There’s no way of tracking the payment or even being able to confirm who we are paying the money to. Because of the way they requested payment, there’s no way of knowing if they are leaving other malware on our system to hold us for ransom again in the future. Ultimately, we would still have to take all the steps we have taken to ensure a safe and secure environment. I’m confident we have taken the best course of action.
Albeit brief, Mayor Young’s statement hits the nail on the head when it comes to whether or not you should pay up. My advice is the same: don’t give money to cybercriminals. While the sum they ask for might sometimes be smaller than what you end up paying in mitigation fees, it creates a dangerous precedent. Plus, there is no guarantee that you will regain access to your data if you do it.
Nonetheless, if the Baltimore ransomware case should teach you anything, it’s that handling the issue reactively (after the incident) can be quite a costly affair. The proper way to deal with this type of threat is to ensure that your systems are not infected in the first place. Find out how to prevent a similar occurrence in your organization in the section below.
Don’t Wait Until It Happens to You. Protect Your Institution Today.
Reactive cybersecurity solutions can only get you so far in terms of incident mitigation. As cyber-threats become increasingly refined, they will eventually manage to outrun your antivirus. This is why your institution should focus on a proactive solution that reinforces the weak spots in your system and detects intruders before they manage to infiltrate.
Our Heimdal™ Threat Prevention does just that (and more), impeding the executable ransomware file from connecting to the Command & Control server giving it orders. This occurs not only at the level of your browser but through any process ongoing at the endpoints in your institution’s network. It achieves this by operating within the layers of the DNS, HTTP, and HTTPS alike with proprietary DarkLayer Guard and VectorN Detection technology.
In addition to this, Heimdal™ Threat Prevention also features an Heimdal™ Patch & Asset Management module that automatically deploys software patches within a few hours of their release. This will further close any vulnerabilities in your system and prevent malicious attackers from gaining entry.
Antivirus is no longer enough to keep an organization’s systems secure.
Heimdal® DNS Security Solution
Is our next gen proactive DNS-Layer security that stops unknown
threats before they reach your endpoints.
Machine learning powered scans for all incoming online traffic;
Stops data breaches before sensitive info can be exposed to the outside;
Advanced DNS, HTTP and HTTPS filtering for all your endpoints;
Protection against data leakage, APTs, ransomware and exploits;
Do you want to up your cybersecurity game even more? My recommendation is to combine Foresight with a next-generation antivirus solution. If you already have one installed, you’ll be happy to know that the two will complement each other very well.
The Baltimore ransomware case should be regarded by governmental institutions as a teachable moment. Maryland’s largest city had been similarly targeted in the past and warned about its existing vulnerabilities, but this was not enough for officials to act before another incident occurred.
Weakly protected networks and muddy political waters created the perfect cyber-storm in Baltimore. More than $18 million later, the city governmental accounts and dealt with the damage slowly, but surely. Nonetheless, its leaders came out of it with a huge stain on their reputation.
Institution cybersecurity is not something to be taken lightly. Strengthen your institution’s defenses today and let’s make sure together that an incident of this type doesn’t hold another city hostage too soon.
As always, feel free to leave any questions, comments, or concerns in the comments section below. I look forward to reading them all!
If you liked this post, you will enjoy our newsletter.
Get cybersecurity updates you'll actually want to read directly in your inbox.
Alina Georgiana Petcu is a Product Marketing Manager within Heimdal™ Security and her main interest lies in institutional cybersecurity. In her spare time, Alina is also an avid malware historian who loves nothing more than to untangle the intricate narratives behind the world's most infamous cyberattacks.