Baltimore officials have admitted that the city government once again has been victimized by ransomware — the second such attack that Baltimore has faced in just over a year.
City computers were infected with the Robin Hood ransomware virus, The Baltimore Sun reported. Hackers told city officials that they would unlock the computers in return for payment of three bitcoins per system or 13 bitcoins for the entire system. Based on the current exchange rate, the ransom added up to about US$17,600 per computer or $76,280 for the system.
The hackers gave officials four days to pay or the ransom price would increase. They threatened to render the systems’ data irretrievable after 10 days. In addition, the hackers warned the city not to contact the FBI.
Bernard Young, Baltimore’s new mayor, said on social media that the city’s essential services were still running and that there was no evidence that any personal information had been compromised as of Tuesday afternoon.
“Baltimore City core essential services (police, fire, EMS, and 311) are still operational, but it has been determined that the city’s network has been infected with a ransomware virus,” Mayor Youngtweeted on Tuesday afternoon. “City employees are working diligently to determine the source and extent of the infection.”
As a precaution, the city did shut down the majority of its servers, the mayor added.
Quick Response
City officials were directed to disconnect their computers from the Internet completely, as the virus was spreading from computer to computer. Employees reportedly were directed to unplug the Ethernet cable from computers and to turn off any connected divisions.
The essential services remained operational, but other services have been disrupted, including the ability to discuss billing issues or make online payments, notably for water bills. As a result, the Baltimore Department of Public Works (DPW) announced via social media that it would suspend late water bill fees for both city and county customers.
The Baltimore City Department of Transportation announced that two impound lots and its Right of Way Services Division also were affected by the computer network outage.
The problem was largely contained by Tuesday afternoon, and the city teams were able to quarantine the ransomware, but by Wednesday, it was still unclear when affected systems could be back online. The FBI’s cyber squad has been assisting Baltimore with its recovery efforts.
Deja Vu All Over Again
What makes Tuesday’s attack unique is that Baltimore faced a similar attack last year. That one was more damaging, resulting in the temporary shutdown of automated dispatches for 911 and 311 calls.
“This event tells us that such attacks are on the rise, so much as it tells us that sensible practices are in decline — at least in Baltimore,” warned Jim Purtilo, associate professor in the computer science department at University of Maryland.
“There is no good way to say this: Two crippling attacks in a year is just pathetic,” he told TechNewsWorld.
Baltimore isn’t the only target of such attacks, of course. Atlanta last year fell victim to the SamSam ransomware, which disrupted city government operations and functions for a considerable period of time.
The Department of Justice last fall indicted two Iranian men last November for deploying that virus, whose victims included the city of Newark, New Jersey, as well as the Port of San Diego and the Colorado Department of Transportation.
“Bad actors have no doubt put the 89,000 local governments across the country in their cross-hairs,” said Mike Bittner, digital security and operations manager at The Media Trust.
“These local governments make ideal targets because they collect and process a lot of citizen and business information, and their tight budgets prevent them from making much-needed IT security updates,” he told TechNewsWorld. “For these city governments, getting hacked is not a matter of if but when.”
Soft Targets
Government offices — from the federal to the local level — typically don’t replace computer systems as frequently as corporations or individuals. Many of them rely on outdated systems, which makes them a soft target for hackers, who typically use a well-read playbook in these attacks.
“As long as individuals can be manipulated — via social engineering or phishing — and older, unpatched software and weak perimeter security exists, these attacks will continue with 100 percent certainty,” said David P. Vergara, director of product marketing atChicago-based cybersecurity firm OneSpan.
“It’s not reasonable that these attacks will be eliminated; however, for businesses and organizations to reduce their threat exposure, they should take [appropriate] actions,” he told TechNewsWorld.
It’s important that they fully understand that these attacks can happen and that they are costly and complex to resolve.
To address the issue effectively, there needs to be proper investment in preventive security measures, added Vergara.
“Initiate mandatory and ongoing employee training on phishing, vishing(voicemail phishing scams), and related social engineering designed to obtain personal or business information to refine attacks or trick them into installing malware,” he recommended.
In addition, companies and government agencies at all levels should maintain perimeter security software and infrastructure, and regularly test it. They also should leverage content filtering on mail servers to block suspicious or malicious attachments.
“Make sure that all systems and software are up-to-date,” said Vergara.”This is an easy one — yet still overlooked by many businesses and organizations.”
Bad Practices Are Good News for Hackers
Of all the types of cyberattacks in circulation, ransomware presents the most challenges, but it should be easy to recover from with due diligence applied beforehand.
“If you back up your files, you won’t need to negotiate or make payments to cyberthugs,” said The Media Trust’s Bittner.
Local governments, just like corporations and individuals, need to do a better job of backing up data so that paying a ransom is never considered.
“All organizations should assume they are in the crosshairs of cybercriminals,” said Bittner.
In addition, “all organizations should assume they are under some form of attack and strengthen their cyber defenses,” he added.
“Any one system could be vulnerable to a momentary lapse in our practices. After all, the attack vectors are there, and sometimes others will find the vulnerability before we do,” said University of Maryland’s Purtilo.
“Having experienced this once in the last year, it is difficult to imagine why a competent administrator would allow the city to continue operating a system that allowed an enterprise-wide loss due to a single point of failure,” he added.
To Pay the Ransom
Ransomware today isn’t really that much different from the way barbarian tribes in the ancient era would threaten to raid the frontier and pillage a city unless they were paid off. The difference is that instead of a physical attack, ransomware is a digital one, and some cities have given in.
However, the consensus among security pros is that when under such an attack, paying the ransom should never be considered — not even as the last course of action.
“Even if you do pay the ransom, there’s always the chance [thehackers] won’t release your files,” Bittner pointed out.
More worrisome is that if the ransom is paid, that could entice hackers to try again.
“If the business paid before and has not addressed security vulnerabilities — yes, they will be targeted again. This is low-hanging fruit for hackers,” said Vergara.
Still, it might be the only option in some cases.
“There are some cases where payment is not only the fastest path to recovery, but the far more cost-effective choice,” admitted Adam Laub, senior vice president of product management at Stealthbits Technologies.
“It totally depends on the situation; if your data is really valuable and there are no other copies to fall back on, then you might have no other choice than to pay up,” he told TechNewsWorld.
This is why ransomware has continued to be an effective weapon for cybercriminals looking to make a quick buck and wreak havoc while doing so.
“Conversely, if you’ve done a good job of backing up at least your most meaningful data, then it might be perfectly acceptable to lose whatever’s been compromised,” suggested Laub. “It’s so effective because it elicits desperation from its victims, and desperate people do desperate things.”
Given that this is the second attack on one target, it could be that lightning is unlikely to strike a third time — or hackers, as the case may be.
“There’s too much attention on the city of Baltimore at this point for there to be a continued barrage of attacks,” Laub explained. “It’d likely be too risky for the attackers.”
Future Attacks Likely
The sad truth is that ransomware attacks are likely to continue. It’s not just that many cities still rely on older hardware and software. Even when systems are replaced, legacy devices leave vast holes for hackers to exploit.
Corporations and large government agencies will be able to plug the holes, but many large U.S. municipalities will be unable to address potential exploits.
Whether a successful defense can be mounted may depend on the type of organization targeted, said OneSpan CMO John Gunn.
“A business can respond immediately and invest in additional IT security tools to prevent the type of attack they just experienced, whereas a government agency may take months or even years to get approvals and budget to buy new security tools, all the while being exposed to similar attacks,” he told TechNewsWorld.
Even new systems and a complete network upgrade might not be enough to keep the digital barbarians away.
“There are so many complexities and moving pieces. It’s hard to imagine a public institution that’s likely to be poorly funded being able to make many meaningful strides towards a solid security posture in a short period of time,” warned StealthbitsTechnologies’ Laub.
Still, the fact that Baltimore has been targeted twice suggests the city didn’t learn its lesson.
“Said simply, fool me once, shame on you; fool me twice, shame on me,” said Purtilo. “Taxpayers in Baltimore should ask a lot of hard questions.”