One of the biggest organizational nightmares today is being attacked by ransomware. Worse than that is failing to recover from such an attack.

In this article, we will look at the second ransomware attack within a year in the city of Baltimore and what organizations can learn from this case not to be the next victims. 

Baltimore City

Baltimore is in the state of Maryland, in the United States, and has joined Greenville and other American cities that have had their systems down due to ransomware in recent months.

Ransomware is malware that performs a “virtual hijacking”. After infecting a machine through email links, file downloads and other means, the purpose of this malware is to encrypt the data on infected systems, demanding an amount for them to be recovered.

In March 2018, the city’s police and fire brigade phone system was affected by ransomware due to accidental misconfiguration in the firewall.

RobbinHood: The Baltimore City Data Hijacker

In May this year, Baltimore again fell victim to this type of malware. Due to the lack of a 24/7 security monitoring system, the incident took hours to identify.

Payments for utility bills, such as water bills, could not be made through credit cards; the public works department had no network; the city hall mail server was unavailable and other services were damaged due to a variant of the “RobbinHood” ransomware.

“RobbinHood” – a kind of ransomware that also affected cities in North Carolina – demanded the payment of 3 bitcoins ($ 17,600 – the price at the time) per computer or 13 bitcoins ($ 76,280) to release all the city’s data.

The ransomware note also warned that payment should be made within four days or the price would increase, and warned that antivirus use would damage the city’s data.

We’ve watched you for days and we’ve worked on your systems to gain full access to your company and bypass all of your protections, so don’t ask for more times or some things like that. We won’t talk more all we know is MONEY! Hurry up! Tik Tak, Tik Tak, Tik Tak!” (DUNCAN; CAMPBELL, 2019)

At the time, Mayor Bernard C. “Jack” Young stated that the city would not pay for ransomware and would not accept bribes of any kind.

In August, the city voted to transfer $ 6 million from the Baltimore Recreation Fund to help pay investments to make the system more secure. However, the cost of the attack is estimated to be at least $ 18.2 million.

Frank Johnson – the city’s CIO – was criticized for his leadership in the midst of the crisis in May. As a former top salesman at Intel, during the recovery period of the attack, he said he had a recovery strategy, but the mayor’s representative said there was no plan in place, even though Mayor Jack had requested one.

Lack of transparency and communication were also pointed out by local authorities in relation to Johnson’s leadership.

In September, an audit was conducted on the city’s computers, which concluded that lost data could not be recovered because it was being stored locally on each hard drive, and none of it was saved in the cloud or any form of backup was being performed.

Not only was the data lost, but also the documentation on disaster recovery plans and security patch installations, and because of this, they cannot be sure if the city actually had such processes.

Finally, the city is now considering hiring a cyber insurance service to prevent future attacks.

And what are the lessons learned?

Even though there is still no magic bullet to prevent ransomware attacks, the Baltimore case brings us some lessons to ponder:

1 – ALWAYS have a backup

The scary thing about this whole episode is that the city did not have a backup available to recover its lost data, and city officials were not instructed to store copies of important data.

An English ambulance service company is a successful case involving backup and ransomware. After being infected with one of this malware, the company returned to normal operations in less than 30 minutes as they restored all their information from their backup.

Perhaps, at the moment, the backup cost may seem too large for your organization, but it will never be higher than recovering data if it is lost.

Always have a backup, either on a second server or in the cloud.

2 – NEVER pay the ransom, unless…

It is not recommended to pay for ransomware, ever, otherwise, this attitude can encourage criminal practices to grow, so crime will eventually pay off.

In the case of Baltimore, which did not have a backup, the only hope of recovering the data would be to pay for the ransom, even without any guarantee that access would be returned.

The best solution is “Never pay the ransom and always have a backup.”

3 – Have a prepared leader

The level of CIO Johnson’s “Information Security” technical knowledge is not clear, but given that he is a former Intel employee from the sales department, he is somewhat distrustful about his technical experience.

Even after witnessing a previous attack on its management, the city’s IT department had not yet created a plan to follow through cyber crises, let alone adopted the practice of having a backup.

It is necessary for the organization to have someone who understands not only the seriousness of the situation, but can somehow see and exercise strategies that can bring activities to the normal pace, with a managerial but mainly technical point of view.

4 – Have a contingency plan

For any type of incident, a contingency plan should be in place. Contingency plans prevent the situation from spinning out of control in the midst of a crisis and help employees know what to do so it has as little damage as possible.

This type of plan typically describes step by step how to perform the fastest possible system recovery.

It took Baltimore weeks to get back to using its systems, and it definitely lost a lot of data. This would have been avoided with a well-designed contingency plan.

5 – Consider Cyber Insurance Services if really needed

Perhaps, hiring cyber insurance is not ideal for all cases and companies. It is a decision to be evaluated, as often the cost of using these services can far exceed the cost of actions that could be taken by the organization itself. However, there are scenarios where this type of company is of great help, but one should consider whether these companies are actually reliable, as some were investigated for removing ransomware by paying the ransom without the victim’s knowledge.

6 – Have a solution that monitors access

The city did not have network monitoring, which made it easier for ransomware to spread easily across workstations until it was noticed.

According to RobbinHood’s own note, the malware was in the system for days finding ways to gain full access to the network until it hijacked all the data.

If there were a system capable of monitoring suspicious access and privilege abuse, ransomware might have been identified earlier and its spread blocked.

Vitali Kremez, a researcher who studied “RobbinHood”, said this type of ransomware is new and unnoticed by antivirus tools, and the attacker relies on unrestricted access to spread the malware.

Services and workstations would not have been affected if access to each one of them were different, restricted, and monitored.

senhasegura is a PAM solution that helps control access to workstations and critical system credentials.

In addition to detecting and warning of suspicious access, it also creates abuse restrictions that can prevent malware that has infected a workstation from gaining access to other stations on the same network.