Ransomware Cyberattacks Knock Baltimore's City Services Offline

Enlarge this image toggle caption Emily Sullivan/WYPR Emily Sullivan/WYPR

Anonymous hackers breached the city of Baltimore's servers two weeks ago. Since then, those servers' digital content has been locked away — and the online aspects of running the city are at an impasse.

Government emails are down, payments to city departments can't be made online and real estate transactions can't be processed.

Imagine if somebody would sneak into a government building at night, load up a bunch of boxes with all the paperwork for all ... the pending business that the city was conducting, put it all in a truck and drive away — and demand some money in order to bring that truck back.

Hackers demanded 13 bitcoins — worth about $100,000 today — to relinquish their grip. Baltimore City Mayor Jack Young has said the city won't pay. The FBI and Secret Service are investigating, and the city has contracted with a series of experts to assist in restoring service.

The cyberattack is just one of more than 20 made on municipalities this year — and cybersecurity experts say it likely will take months for the city to recover.

"Imagine if somebody would sneak into a government building at night, load up a bunch of boxes with all the paperwork for all the pending permits and all the pending house closings and all the pending business that the city was conducting, put it all in a truck and drive away — and demand some money in order to bring that truck back," said Avi Rubin, a Johns Hopkins computer science professor and cybersecurity expert.

"That's a lot easier to do in cyberspace without getting caught," he said. "And that's what's happened here."

An unbreakable algorithm

The hackers used a ransomware called RobinHood — an extremely powerful and malicious program that makes it impossible to access server data without a digital key. Replicating that key without the hackers is impossible, says Rubin, who has testified about his field before Congress.

"I don't even think that the NSA would be able to break this algorithm," he said. "It's believed by the cryptographic community, both the theoreticians as well as the practitioners, to be unbreakable by today's technologies."

The city of Atlanta was attacked with ransomware in March 2018 — its digital civic services similarly ground to a halt. The Atlanta Journal-Constitution reported it cost the city $17 million to recover.

Baltimore officials have said they've turned to their peers in Atlanta for advice on how to deal with the ongoing disruptions.

That attack "should have been an alarm for many other cities," Rubin said. "All you need is one link in the chain and that's what the attackers will go after."

Those weak links are often preventable vulnerabilities like old hardware and old software, both of which Baltimore was using.

The city of Baltimore, like many local governments, was not at all prepared for something like this.

Medical records protected

Rubin is also the director of the Health and Medical Security Lab at Johns Hopkins. When malware attacks became more common a few years ago, hospitals were hackers' favorite targets — medical records are very valuable and are time-sensitive since they're needed to treat patients.

Hospitals responded quickly to the threat of malware by bolstering cybersecurity with new hardware and software, Rubin says, and are largely no longer affected by bad actors.

"However," he said, "the city of Baltimore, like many local governments, was not at all prepared for something like this. And if it's never happened, it's only natural to say, 'well, this type of thing has never happened before, so why should we spend a lot of money on it?' "

Rubin agrees with Mayor Young's decision not to pay the ransom for that key. If no one attacked by malware paid the ransom, "these attacks would just completely go away," he said.

Unfortunately, Rubin said, many private companies quietly pay, which has encouraged hackers to keep up ransomware attacks.

One analysis from CyberEdge found that 45% of organizations hit with ransomware end up paying a ransom. Another, from RecordedFuture, found that at least 17% of state and local government entities pay.

With no key, Rubin said the city will have to rebuild its servers from the ground up. That will likely take months, he said, and will involve implementing new hardware and software and restoring any data the city may have backed up.

Frustrated homebuyer

In the meantime, Baltimore residents are frustrated that there wasn't a plan for cyber catastrophes.

"The fact that you have a completely unsustainable computer system with no plan in place for when something like this happens after watching it happen to countless other cities — it's frustrating and disappointing," said Ashley Merson, a 31-year-old nanny.

Merson has been scrimping and saving for a house for four years. She paid off her debts, got her credit score up and finally was able to make an offer on a two-bedroom duplex house. She is more than ready to leave her low-income apartment complex, where she, her young son and disabled brother squeeze into a one-bedroom.

But just as she was about to settle on that house, the malware attacks struck.

"The process of buying a house is so long and tedious anyway," Merson said. "Waiting is tough."

City officials announced the development of a multistep "manual workaround" plan on Monday, nearly two weeks after city servers were first breached.

Merson hopes the now-heavy backlog of homebuyers won't delay her move-in any further. Rent at her apartment complex will increase significantly "sometime in the near future," she said.

If that happens while her family is still in limbo, Merson said, "then it's just going to be a pretty crappy situation."