Baltimore is under the grip of a ransom-ware attack.
The ransomware attack came in the midst of a major transition at City Hall. Mayor Bernard C. “Jack” Young assumed office officially just days before the attack, after the resignation of former mayor Catherine Pugh, who is facing an ever-expanding corruption investigation. And some of the mayor’s critical staff positions remained unfilled—the mayor’s deputy chief of staff for operations, Sheryl Goldstein, starts work today.
To top it off, unlike the City of Atlanta—which suffered from a Samsam ransomware attack in March of 2018—Baltimore has no insurance to cover the cost of a cyber attack. So the cost of cleaning up the RobbinHood ransomware, which will far exceed the approximately $70,000 the ransomware operators demanded, will be borne entirely by Baltimore’s citizens.
It’s not like the city wasn’t warned. Baltimore’s information security manager warned of the need for such a policy during budget hearings last year. But the final budget did not include funds for that policy, nor did it include funding for expanded security training for city employees, or other strategic investments that were part of the mayor’s strategic plan for the city’s information technology infrastructure.
In a statement to press on May 17, Mayor Young said:
I am not able to provide you with an exact timeline on when all systems will be restored. Like any large enterprise, we have thousands of systems and applications. Our focus is getting critical services back online, and doing so in a manner that ensures we keep security as one of our top priorities throughout this process. You may see partial services beginning to restore within a matter of weeks, while some of our more intricate systems may take months in the recovery process… we engaged leading industry cybersecurity experts who are on-site 24-7 working with us.
Some of the restoration efforts also require that we rebuild certain systems to make sure that when we restore business functions, we are doing so in a secure manner.
City officials have provided few details about the extent of the attack, as the city is cooperating with an FBI investigation. But it appears that the ransomware was triggered on some systems in the early hours of May 7, when email service was suddenly interrupted. The city’s response to the attack has thrown many city services into disorder or shut them down entirely.
The attack was first reported by Baltimore’s Department of Public Works, when the department’s official Twitter account announced that its email access was cut off, and it reported phones and other systems were affected soon afterward. As it became clear what was happening, the city’s Office of Information Technology team shut down nearly all of the city’s non-emergency systems to prevent the further spread of the attack. It’s not clear how widespread the ransomware was within the network, but the city’s email and IP-based phones were among the systems affected.
City officials have stressed that emergency systems, such as police and fire department networks and the city’s 911 system, were not affected. The 911 system suffered from a ransomware attack last year when some firewall settings were disabled during maintenance. But the Baltimore Police Department was dependent on the city’s email servers, and surveillance cameras around the city have been affected by the network shutdown. Nearly every other city department had services interrupted as well.
Real estate purchases cannot be closed, though Mayor Young said that a paper-based workaround for handling closings would be put in place by today. Water bills and other city charges (including parking tickets and citations from the city’s speed camera and red light camera network) cannot be paid. And many city workers have had to resort to using their own laptops without a connection to city networks, as well as personal e-mail addresses and cell phones, in order to get work done. Other tasks are idled completely or have gone back to paper-based processes the city was in the midst of trying to eliminate.