A Timeline of the Baltimore City Ransomware Attack

See All
(Update: June 5, 2019)

Over one third of Baltimore City computers restored
After nearly a month since the ransomware attack on May 7, Baltimore City officials have provided a fresh update on the recovery efforts. As per the latest update, around 35 percent of nearly 10,000 municipal employees have regained access to their computers and email accounts. Moreover, the authorities are expecting to re-authenticate nearly 90 percent of employees with new passwords by the end of the week. Additionally, Baltimore residents can also now make payments for any parking tickets issued after May 4, for which the data has now been restored.


Investigators looking into the Twitter account linked to attackers
After the discovery of the Twitter account which released documents related to the ransomware attack, federal investigators are trying to verify the authenticity of the documents and the identity of the people behind that account. The account posted several documents such as faxes sent to City employees including one that contained a woman’s medical history. The account also threatened to leak financial documents and citizens’ personal information on the dark web if the ransom is not paid. The account sent a direct message to a local reporter on Twitter, saying “If you don’t like to see all of them in the darknet, tell to mayor!”


---

(Update: June 5, 2019)

Over one third of Baltimore City computers restored
After nearly a month since the ransomware attack on May 7, Baltimore City officials have provided a fresh update on the recovery efforts. As per the latest update, around 35 percent of nearly 10,000 municipal employees have regained access to their computers and email accounts. Moreover, the authorities are expecting to reauthenticate nearly 90 percent of employees with new passwords by the end of the week.

Additionally, Baltimore residents can also now make payments for any parking tickets issued after May 4, for which the data has now been restored.


Investigators looking into the Twitter account linked to attackers
After the discovery of the Twitter account which released documents related to the ransomware attack, federal investigators are trying to verify the authenticity of the documents and the identity of the people behind that account. The account posted several documents such as faxes sent to City employees including one that contained a woman’s medical history.

The account also threatened to leak financial documents and citizens’ personal information on the dark web if the ransom is not paid. The account sent a direct message to a local reporter on Twitter, saying “If you don’t like to see all of them in the darknet, tell to mayor!”


---

(Update: June 3, 2019)

Baltimore attacker linked with suspended Twitter account
In the days following the Baltimore ransomware attack, a Twitter account was observed taunting the Baltimore Mayor to pay the ransom. It was not known whether the account was linked to the perpetrators behind the attack. On June 3, Twitter suspended the account for its use of abusive language. Meanwhile, researchers from the security firm Armor analyzed the documents posted by the account and concluded that it was indeed operated by the attackers.

Eric Sifford and Joe Stewart, the two Armor researchers who looked into the matter, gave a statement explaining their rationale. "We believe that when the Baltimore hacker posted, verbatim, the last two tweets from the Robbinhood Twitter profile into the ransomware panel (which is specific only to the city of Baltimore) that the attacker(s) had totally lost their patience and was fed up with anyone questioning their validity and capability to decrypt the city’s data,” they said.


Researchers find no evidence of EternalBlue exploit in Baltimore attack
The researchers from Armor also analyzed a malware sample tied to the incident to examine the claims of NSA’s EternalBlue exploit being used in the attack. As per their analysis, they found no evidence of any EternalBlue exploit code in the sample. “We took a look at it and found a pretty vanilla ransomware binary. It doesn’t even have any means of spreading across networks on its own,” Stewart said.

The researchers suggested that EternalBlue would not be the primary choice for attackers looking to mount a large attack. “It certainly wouldn’t be the go-to exploit if your objective was to identify critical systems and then only when you’re ready launch the attack so you can do it all at once. At this point, Eternal Blue is probably going to be detected by internal [security] systems, or the target might already be patched for it,” Stewart said.


---

(Update: May 31, 2019)

Risk assessment called Baltimore a ‘natural target’ for cyberattack
A newly revealed risk assessment report for the Baltimore City’s computer systems showed that the IT office warned of the threats arising from old unpatched systems used by the City. The report highlighted the growing threat of ransomware attacks, stating “extortionists are an increasing threat to any internet-connected systems.” The IT office also warned of a severe impact on the city’s finances from the fallout of such a cyberattack.

The report specifically pointed out two servers used by the city to host a total of 104 city applications, which used an outdated version of Microsoft Windows Server, thereby making them vulnerable to many different exploits. Furthermore, the report also pointed out the lack of any active backup systems in place to restore the servers in case of an attack. Sheryl Goldstein, deputy chief of staff to the Baltimore Mayor, declined to shed any further light on whether the two servers were still in use at the time of the ransomware attack on May 7, 2019.


---

(Update: May 30, 2019)

NSA rebuts the blame game for Baltimore City ransomware attack
A recent New York Times report arguing NSA should be held responsible for Baltimore CIty ransomware attack, caused an uproar among Maryland’s political elites. A Maryland state senator and a Baltimore Congressman also asked NSA to provide a detailed briefing regarding the use of its EternalBlue exploit kit in the attack.

However, Rob Joyce, Senior Advisor to the Director NSA for Cyber Security Strategy, rejected the blame laid on NSA for the Baltimore ransomware attack and argued that city agencies need to be more proactive in managing their computer networks.

At a recent conference, Joyce said, “NSA shares the concerns of all the law-abiding citizens around the world about the threat posed by that criminal, malicious cyber activity, but the characterization that there’s an indefensible nation-state tool propagating ransomware is simply untrue.” “Focusing on a single exploit, especially one that has a solution through a patch that was issued years ago, is really shortsighted. Vulnerabilities will continue to be found. Doing the basics is required for responsible network administration,” Joyce added.

Ref - Nextgov

---

(Update: May 29, 2019)

Baltimore ransomware attack estimated to cost over $18M
At a meeting on Wednesday, Baltimore City’s budget office provided estimates on the expenses or losses due to the ransomware attack that struck the city government on May 7, 2019.

Bob Cenname, director of the Bureau of Budget and Management Research for Baltimore, forecasted that the attack will cost the City at least $18.2 million. This includes $4.6 million in expenses already incurred by the City and a further estimated $5.4 million to be spent by the end of the year. Besides this, the City is estimated to lose another $8.2 million in revenue from property taxes and other bill payments which were delayed or disrupted due to the attack.


---

(Update: May 26, 2019)

Reports say NSA tools used in Baltimore ransomware attack, Leaders seek information
On May 25, the New York Times reported that attackers used EternalBlue, a tool built by the NSA to break into Windows systems. Notably, EternalBlue was infamously leaked online by a group known as Shadow Brokers in April 2017. The exploit has since been used by attackers to target several government agencies, city departments, and universities across the US, thereby raising concerns regarding its potential use in the crippling ransomware attack on Baltimore City.

Following the NYT report, Baltimore Congressman C. A. Dutch Ruppersberger and Maryland State Senator Chris Van Hollen are seeking briefings on the matter from the NSA. Jamie Lennon, a spokeswoman for Ruppersberger, said, “If recent media reports regarding the origins of the Baltimore ransomware attack are true, the congressman’s concerns are further validated. We will be seeking a full briefing from NSA regarding these reports.”

Van Hollen also issued a statement emphasizing the need to ensure that tools developed by US agencies do not fall into the hands of foreign actors. Furthermore, the leaders also called for the federal government to play an active role in the city’s recovery and commit their resources to pay for the damages.


---

(Update: May 24, 2019)

Google disabled Baltimore City’s Gmail accounts after ransomware attack
Due to the ransomware attack on Baltimore City, most of the city’s servers were taken down. The mail servers used by city departments faced outage as well. In order to continue the operations until their mailboxes were recovered, city employees created new Gmail accounts as a temporary workaround. However, on May 22, many city employees reported issues with their temporary Gmail accounts. Once the issue was highlighted, Google was quick to resolve it.

Commenting on the matter, a Google spokesperson said, “We have restored access to the Gmail accounts for the Baltimore city officials. Our automated security systems disabled the accounts due to the bulk creation of multiple consumer Gmail accounts from the same network.”

Ref - The Verge

---

(Update May 23, 2019)

Baltimore ransomware recovery going slowly
Sheryl Goldstein, the newly appointed deputy chief of staff to the Baltimore Mayor, gave a statement to the press Wednesday, pointing out that Baltimore’s IT team “will only slowly bring computer systems back online” to ensure better security following the ransomware attack that shook the city government. “It is preferable for us to be safe and do it right than to do it fast,” Goldstein said.

Commenting on the stalled city services, Goldstein said, “We’re getting back to a place where operations, while different, are at normal levels of service.”


---

(Update: May 21, 2019)

Baltimore City tries to get back on its feet
In a statement posted on the Mayor’s website, it was announced that “The City of Baltimore processed 42 applications for property deeds during the first day of a manual workaround designed to allow real estate transactions to proceed during the City's technology outage”. Additionally, the statement also explained the manual process in detail.


---

(Update: May 20, 2019)

A workaround in the offing
The Baltimore City Hall proceeded with a manual workaround for property sales starting Monday this week. However, the time required to process the deeds is much more than in the computerized process, thereby creating a large backlog of records to be processed. Moreover, there is not enough clarity on what documents are required for the manual process to verify tax dues and outstanding water bills.


---

(Update: May 18, 2019)

Amidst a ransomware attack, Baltimore decides to get property sales moving
Amidst the ongoing crisis at the Baltimore City Hall since the ransomware attack, city officials informed the city residents that a manual process for property sales will be operational from next week i.e. May 20.


---

(Update: May 17, 2019)

Public data on crime no more being updated
It was observed that many of Baltimore City’s public datasets including those related to victim-based crimes, gun offenders, police arrests, parking fines, environmental violations, housing permits, property taxes, and liquor licenses, were not updated on the Open Baltimore website since the cyber attack on May 7.


The Mayor of Baltimore issues a press briefing
In an update posted on the official website, Mayor Bernard C. “Jack” Young only provided minor insights into the status of the restorative process, while reiterating that city officials continue their investigation with the assistance of the FBI and several technology vendors.

“I am not able to provide you with an exact timeline on when all systems will be restored. Like any large enterprise, we have thousands of systems and applications. Our focus is getting critical services back online, and doing so in a manner that ensures we keep security as one of our top priorities throughout this process. You may see partial services beginning to restore within a matter of weeks, while some of our more intricate systems may take months in the recovery process,” Young said.


---

(Update: May 16, 2019)

Baltimore City Council President announces the formation of a new committee
In the light of the recent ransomware attack, Brandon Scott, President of the Baltimore City Council, announced the formation of a new committee to evaluate the cybersecurity and emergency preparedness of the city government. The committee is expected to look into the funding allocation for cybersecurity and the city’s emergency response plans.

Ref - The Hill

---

(Update: May 15, 2019)

Government websites restored
While the city’s computer systems still remain affected by the ransomware attack, the city officials informed the residents that they could safely visit the city government’s websites.
The city’s Finance Director Henry J. Raymond said that the city hopes to resume the services related to property transactions by the end of next week.


Drug alert system knocked offline
The city’s health department confirmed that its SMS alert system for warning residents about potentially deadly batches of street drugs was also taken offline by the cyber attack.


List of affected departments and agencies
Many of the city departments and agencies lost access to their internet and email systems due to the ransomware attack. The list of affected city departments and agencies includes:

  • Baltimore City Council
  • Baltimore Police Department
  • Department of Housing and Community Development
  • Board of Elections
  • Department of Finance
  • Department of Public Works
  • Recreation and Parks
  • Legislative Reference
  • Archives and Records Management
  • Office of Sustainability
  • Department of Transportation
  • Baltimore Animal Rescue and Care Shelter
  • Board of Municipal and Zoning Appeals
  • Baltimore Development Corporation
  • Office of Promotion and the Arts

Some of these departments or agencies have been also been affected beyond their network connectivity and email systems.


---

(Update: May 14, 2019)

Property sales processing systems impacted
Due to the ransomware attack, the systems used for processing property sales were also heavily impacted. As per local real estate professionals, hundreds of sales were pending as the systems for verifying outstanding dues and completing the sale, were taken offline.


---

(Update: May 13, 2019)

Relief for Baltimore residents
Clearing the air on delays in property tax payments, the Baltimore Finance Director Henry Raymond informed the city council that all residents who made their payments after the payment deadline on April 30 and before the tax sale on May 12, will not be facing any penalties. The city government did not disclose further details about the attack citing the ongoing federal investigation into the matter.


---

(Update: May 9, 2019)

Baltimore workforce slowed down, announces the City Union head
Antoinette Ryan-Johnson, the head of the City Union of Baltimore which represents 3100 employees across various departments, commented on the situation of the city employees. “The workforce has significantly slowed down because there’s no way for the members to do the work. Not all of them. A lot. I don’t think anyone in the city has capability to use computers and pretty much that’s what we do all day,” said Ryan-Johnson.

Ryan-Johnson also added that employees had not been given any time frame or information on when the computer systems will be restored.


---

(Update: May 8, 2019)

Baltimore switches gears, shifts to manual processes
Bernard C. Young, the Baltimore City Mayor, informed the local media that the city employees were forced to revert to manual processes, while the IT teams worked continued their efforts to recover the affected systems. Additionally, Young stated that the city officials were working with FBI, Microsoft, and other technology vendors, to restore the computer network and the affected services.

Meanwhile, the online application for checking debt amounts and the card payment service were taken down by the attack. This meant that the process for payment of property tax and other dues was now reliant on certified cheques or money orders, which were to be matched with physical copies of the payment-related correspondence sent to the city’s residents. Due to this, many residents faced the danger of amassing penalties from late payment of their dues.


---

(Initial reports on May 7, 2019)

Baltimore City hit by a ransomware attack

On May 7, 2019, the city of Baltimore, Maryland, was hit by a ransomware attack that affected most of the city’s online services. The attackers took control of a majority of the city’s servers and put forward a ransom demand of 13 bitcoins to unlock them.

The city’s investigators, assisted by the local FBI squad, quarantined the ransomware and identified it as the Robbinhood ransomware. The ransom note on the infected computers gave two options to the city authorities for paying the ransom. The attackers demanded the city to pay either 3 Bitcoin for unlocking each affected system or 13 Bitcoins for all the systems. Moreover, the attackers threatened to increase the demand by $10,000 each day, once four days pass.

The first indication of the attack came from the Department of Public Works which tweeted in the morning at 8:54 AM that its email service was out of order. Later, it also informed the residents that its customer service phone lines were also facing outage, along with its website for payment of water bills. Unlike a previous attack faced by the city, the critical emergency dispatch systems for 911 and 311 were not affected by this attack.

The Department of Transportation was also found to be impacted on Tuesday as it could not process vehicles at one of its impound lots. Moreover, most of the city’s departments were cut off from their email systems due to the attack.

Commenting on the attack, the Mayor tweeted, “At this time, we have seen no evidence that any personal data has left the system. Out of an abundance of precaution, the city has shut down the majority of its servers. We will provide updates as information becomes available.”

It should be noted that the city was also struck by a cyber attack last year which had crippled its 911 emergency dispatch system.





  • Share this blog:
Previous
APT3: A Nation-State Sponsored Adversary Responsible For Multiple High Profile Campaigns
Next
Why Threat Intelligence Matters for CISOs?
To enhance your experience on our website, we use cookies to help us understand how you interact with our website. By continuing navigating through Cyware’s website and its products, you are accepting the placement and use of cookies. You can also choose to disable your web browser’s ability to accept cookies and how they are set. For more information, please see our Privacy Policy.