Baltimore officials have admitted that the city government once again has been victimized by ransomware — the second such attack that Baltimore has faced in just over a year.
City computers wereinfected with the RobinHood ransomware virus, The Baltimore Sun reported. Hackers told city officials that they would unlock the computers in return for payment of three bitcoins per system, or 13 bitcoins for the entiresystem. Based on the current exchange rate the ransom added up toabout US$17,600 per computer or $76,280 for the system.
The hackers gave officials four days to pay or theransom price would increase. They threatened to render the systems’ data irretrievable after 10 days. In addition, the hackers warned the city not to contact the FBI.
Bernard Young, Baltimore’s new mayor, said on social media thatthe city’s essential services were still running, and that there was no evidence that any personal information had been compromised, as of Tuesday afternoon.
“Baltimore City core essential services (police, fire, EMS and 311)are still operational, but it has been determined that the city’snetwork has been infected with a ransomware virus,” Mayor Youngtweeted on Tuesday afternoon. “City employees are working diligentlyto determine the source and extent of the infection.”
As a precaution, the city did shut down the majority of its servers, themayor added.
City officials were directed to disconnect their computers from theInternet completely, as the virus was spreading fromcomputer to computer. Employees reportedly were directed to unplug theEthernet cable from computers and to turn off any connected divisions.
The essential services remained operational, but other services havebeen disrupted, including the ability to discuss billing issues ormake online payments, notably for water bills. As a result, theBaltimore Department of Public Works (DPW) announced via social mediathat it would suspend late water bill fees for both city and countycustomers.
The Baltimore City Department of Transportation announced thattwo impound lots and its Right of Way Services Division also were affectedby the computer network outage.
The problem largely was contained by Tuesday afternoon, and city teamswere able to quarantine the ransomware, but it by Wednesday it was still unclear when affected systems could be back online. The FBI’s cybersquad has been assisting Baltimore with its recovery efforts.
Deja Vu All Over Again
What makes Tuesday’s attack unique is that Baltimore faced a similarattack last year. That one was more damaging, resulting in the temporary shutdown ofautomated dispatches for 911 and 311 calls.
“This event tells us that such attacks are on the rise, so much as ittells us that sensible practices are in decline — at least inBaltimore,” warned Jim Purtilo, associate professor in the computerscience department at University of Maryland.
“There is no good way to say this: Two crippling attacks in a year isjust pathetic,” he told TechNewsWorld.
Baltimore isn’t the only target of such attacks, of course. Atlanta last year fellvictim to the SamSam ransomware, which disrupted citygovernment operations and functions for a considerable period of time.
The Department of Justice last fall indicted two Iranian men last November fordeploying that virus, whose victims included the city of Newark, New Jersey, as well as the Port of San Diego and the Colorado Department of Transportation.
“Bad actors have no doubt put the 89,000 local governments across thecountry in their cross-hairs,” said Mike Bittner, digitalsecurity and operations manager at The Media Trust.
“These local governments make ideal targets, because they collect andprocess a lot of citizen and business information, and their tightbudgets prevent them from making much-needed IT security updates,”he told TechNewsWorld. “For these city governments, gettinghacked is not a matter of if but when.”
Government offices — from the federal to the local level — typically don’t replace computer systems as frequently as corporations or individuals. Many of them rely on outdated systems, which makes them a soft target for hackers, who typically use a well-read playbook in these attacks.
“As long as individuals can be manipulated — via socialengineering or phishing — and older, unpatched software and weak perimetersecurity exists, these attacks will continue with 100 percentcertainty,” said David P. Vergara, director of product marketing atChicago-based cybersecurity firm OneSpan.
“It’s not reasonable that these attacks will be eliminated; however,for businesses and organizations to reduce their threat exposure theyshould take [appropriate] actions,” he told TechNewsWorld.
It’s important that they full understand that these attacks can happen,and that they are costly and complex to resolve.
To address the issue effectively, there needs to be proper investment in preventivesecurity measures, added Vergara.
“Initiate mandatory and ongoing employee training on phishing, vishing(voicemail phishing scams) and related social engineering designed toobtain personal or business information to refine attacks or trickthem into installing malware,” he recommended.
In addition, companies and government agencies at all levels shouldmaintain perimeter security software andinfrastructure, and regularly test it. They also should leverage content filtering on mail servers to block suspicious or malicious attachments.
“Make sure that all systems and software are up-to-date,” said Vergara.”This is an easy one — yet still overlooked by many businesses and organizations.”
Bad Practices Are Good News for Hackers
Of all the types of cyberattacks in circulation, ransomware presents themost challenges, but it should be easy to recover from with due diligence applied beforehand.
“If you back up your files, you won’t need to negotiate or makepayments to cyberthugs,” said The Media Trust’s Bittner.
Local governments, just like corporations and individuals, need to do abetter job of backing up data, so that paying a ransom is never considered.
“All organizations should assume they are in the crosshairs ofcybercriminals,” said Bittner.
In addition, “all organizations should assume they are under some formof attack and strengthen their cyberdefenses,” he added.
“Any one system could be vulnerable to a momentary lapse in ourpractices. After all, the attack vectors are there, and sometimes others willfind the vulnerability before we do,”said University of Maryland’s Purtilo.
“Having experienced this once in the last year, it is difficult toimagine why a competent administrator would allow the city to continueoperating a system that allowed an enterprise-wide loss due to asingle point of failure,” he added.
To Pay the Ransom
Ransomware today isn’t really that much different from the way barbariantribes in the ancient era would threaten to raid the frontier andpillage a city unless they were paid off. The difference is thatinstead of a physical attack, ransomware is a digital one, and some cities havegiven in.
However, the consensus among security pros is that when under such an attack, paying the ransom should never be considered — not even as the last course of action.
“Even if you do pay the ransom, there’s always the chance [thehackers] won’t release your files,” Bittner pointed out.
More worrisome is that if the ransom is paid, that could entice hackers to try again.
“If the business paid before and has not addressed securityvulnerabilities — yes, they will be targeted again. This is low-hangingfruit for hackers,” said Vergara.
Still, it might be the only option in some cases.
“There are some cases where payment is not only the fastest path torecovery, but the far more cost-effective choice,” admitted Adam Laub,senior vice president of product management atStealthbits Technologies.
“It totally depends on the situation; if your data is really valuableand there are no other copies to fall back on, then you might have noother choice than to pay up,” he told TechNewsWorld.
This is why ransomware has continued to be an effective weapon forcybercriminals looking to make a quick buck and wreak havoc whiledoing so.
“Conversely, if you’ve done a good job of backing up at least yourmost meaningful data, then it might be perfectly acceptable to losewhatever’s been compromised,” suggested Laub. “It’s so effective because it elicits desperation from its victims,and desperate people do desperate things.”
Given that this is the second attack on one target, it could be thatlightning is unlikely to strike a third time — or hackers, as the case may be.
“There’s too much attention on the city of Baltimore at this point forthere to be a continued barrage of attacks,” Laub explained. “It’dlikely be too risky for the attackers.”
Future Attacks Likely
The sad truth is that ransomware attacks are likely to continue. It’s not just that many cities still rely on older hardware and software. Even when systems arereplaced, legacy devices leave vast holes for hackers to exploit.
Corporations and large government agencies will be able to plug theholes, but many large U.S. municipalities will be unable to addresspotential exploits.
Whether a successful defense can be mounted may depend on the type of organization targeted, said OneSpan CMO John Gunn.
“A business can respond immediately and invest in additional ITsecurity tools to prevent the type of attack they just experienced,whereas a government agency may take months or even years to getapprovals and budget to buy new security tools, all the while beingexposed to similar attacks,” he told TechNewsWorld.
Even new systems and a complete network upgrade might not be enough tokeep the digital barbarians away.
“There are so many complexities and moving pieces. It’s hard toimagine a public institution that’s likely to be poorly funded beingable to make many meaningful strides towards a solid security posturein a short period of time,” warned StealthbitsTechnologies’ Laub.
Still, the fact the Baltimore has been targeted twice suggests the citydidn’t learn its lesson.
“Said simply, fool me once, shame on you; fool me twice shame on me,”said Purtilo. “Taxpayers in Baltimore should ask a lot of hardquestions.”