For the second time in a year, the computers in the city of Baltimore have been infected with ransomware. Malicious hackers demand that ransom is paid for the safe recovery of encrypted files on the affected computers and servers.
On Tuesday, Mayor Bernard C. "Jack" Young tweeted how the city "had taken out an" abundance of caution "from the majority of its servers, but that the core essential services of the city (such as police and fire brigade) remained operational.
However, the e-mail systems used by municipal employees, telephone lines and online invoice payments were affected by the attack.
Among the workers affected, it was the Department of Public Works (DPW) of Baltimore, which reported that their customer support line was unable to take calls due to the network being unavailable because it could not accept other payments then those delivered by check or money order.
According to Mayor Young, the city of Baltimore had seen no evidence that personal information had been wiped away from the infected computers. That is normal with ransomware – the attackers are usually not interested in the content of the files and documents that you store on your network of computers – they simply want to deny your access to them.
Frank Johnson, the Baltimore Chief Information Officer, confirmed in a press conference streamed via Facebook that the offending malware was the "very aggressive RobbinHood ransomware", and in particular that the FBI had identified it as a "fairly new variant".
It is unclear whether the variant of the RobbinHood malware is the same month as that of the Greenville, North Carolina city network last month. In that incident, the city was forced to shut down most of its servers – although police and fire emergency messages were not affected in the same way.
Reporters on the Baltimore Sun. managed to get a copy of the ransom letter displayed by the malware on the affected state computers in Baltimore, and confirmed that it initially asked 3 Bitcoins (about US $ 18,000) for the recovery of encrypted files on each computer, or 13 Bitcoins (US $ 78,000) for releasing all files from the city.
"We'll keep an eye on you for days and we've worked on your systems to gain full access to your business and bypass all your protections."
"We won't talk anymore, all we know is MONEY! Hurry up! Tap Tak, Tap Tak, Tap Tak!"
Last month we described how the RobbinHood ransomware, on the fourth day after coding, would increase its extortion demand by $ 10,000 every 24 hours.
After 10 days, if the RobbinHood ransomware is to be believed, the city of Baltimore would not be able to recover their data at all.
In March 2018, the Baltimore 911 automated shipping system was taken offline by a ransomware attack. It was later determined that a member of the IT staff had accidentally configured a firewall incorrectly in the hours prior to the attack, allowing the ransomware to successfully infect the city's computer-aided dispatch (CAD) system.
Questions will undoubtedly be asked about whether lessons were learned after the previous ransomware attack and whether this latest ransomware infection could have been prevented.
At the very least, this latest incident is a reminder to organizations of all sizes of the essential need for a layered defense and an extensive backup and disaster recovery process in preparation if an attacker manages to break through in the future.
Publisher's note: The opinions expressed in this article about the guest authors are solely those of the author and do not necessarily reflect those of Tripwire, Inc.