Skip to content

The very public and never ending Baltimore ransomware attack

In May 2019, the US City of Baltimore fell victim (for the second time in 12 months) to a ransomware attack which paralysed part of its computer network. As at 20 June 2019, these systems are still reportedly disabled. The success of this attack is an important reminder about the need to have robust recovery plans and a resilient backup strategy in place.

Baltimore was just one of the big US cities to be hit with the ransomware attack. Others include Atlanta, Georgia, San Antonio and Texas. Even smaller cities like Greenville, North Carolina and Allentown, Pennsylvania were targeted.

Although Baltimore immediately notified the FBI and took systems offline to keep the ransomware from spreading, the malware had already taken down voice mail, email, a parking fines database, and a system used to pay water bills, property taxes and vehicle citations. Hackers had reportedly demanded 3 bitcoins (nearly $24,000USD) to unlock each system or a total of 13 bitcoins (nearly $102,000USD) to unlock them all. Despite the costs and months of work that will be required to reverse the damage, Baltimore Mayor – Bernard Young, has told a news conference “I’m not considering” paying it and is also encouraging other cities “not to pay either”. To date, Baltimore has incurred an estimated $18.2 million in losses as the city tried to restore services and servers.

How did Baltimore communicate during the crisis?

In spite of the attack, business had to continue and recovery processes implemented. As government emails were offline, officials turned to Google as an alternative communication channel and created bulk Gmail accounts. Unfortunately, the creation of multiple accounts within a short period of time from the same network triggered a response from Google – the new accounts were consequently flagged as spam and shut down.

Tim Archer, Head of Communications at RiskLogic, highlights the importance of setting up alternative communication channels well and truly in advance. “Organisations need to consider an independent cloud-based communications tool” and keep an “offline database available so you can still reach out to people when systems are down”, he advises.

To add fuel to the fire, the hacker has also chosen to communicate with the council very publicly via Twitter, causing significant public pressure and damaging the reputation of the city. Many Baltimore locals and council peers have publicly weighed in on the organisation’s lack of “Cyber hygiene” and stance on the ransom demand.

Should Baltimore have paid the ransom?

There is no guarantee that hackers will honour their end of the bargain if the ransom is paid. Even if the hacker unlocks the system, victims may find that they cannot always recover all their data.

A better response is to be prepared for, and have contingency plans in place to mitigate the negative impacts of such attacks.

How common are ransomware attacks?

Ransomware attacks are growing significantly and becoming more sophisticated all around the world. In the first half of 2019, security researchers are already tracking over 1100 ransomware variants preying on unsuspecting web users.

“Organisations need to shift their mindset to thinking that anything is possible if you’re connected to the internet” says Daniel Muchow – Head of Cyber Consulting at RiskLogic. “A common blind spot is thinking that it can’t or won’t happen to us”, he adds.

Daniel also states, “The scale and velocity of a cyber crisis cannot be underestimated, and organisations should have cross functional plans that are regularly updated and exercised”. Daniel advises that these plans (ie Cyber Incident Response, IT Disaster Recovery, Business Continuity and Communications plans) should be exercised at least twice a year “with your systems offline” and “it is important that exercises and plans consider all possible scenarios, factoring in the potential operational impacts to critical business functions.”

For advice or to review your cyber hygiene, connect with us today.

Start a discussion