2019 Baltimore ransomware attack

Last updated

2019 Baltimore ransomware attack
Date7 May 2019
Time8:54 a.m. [1] (EDT)
Location Baltimore, Maryland, United States
Type Cyberattack
Theme Ransomware encrypting files with $76,280 demand [1]
Cause
  • Robbinhood Ransomware
OutcomeMultiple municipal services down for months, including databases and applications
City spends $18 million in recovering services

During the Baltimore ransomware attack of May 2019, the American city of Baltimore, Maryland had its servers largely compromised by a variant of ransomware called RobbinHood. Baltimore became the second U.S. city to fall victim to this new variant of ransomware after Greenville, North Carolina and was the second major US city with a population of over 500,000 people to be hacked by ransomware in two years, after Atlanta was attacked the previous year.

Contents

Background

Baltimore had been targeted by ransomware once prior to the May 2019 attack in 2018, though that attack was smaller in comparison and took down the city's emergency dispatch system for a short duration. [2] On May 2, just days before the first infection, mayor Catherine Pugh resigned amidst a corruption scandal and was ultimately convicted and sentenced to 3 years in prison. [3] She was replaced by Jack Young.

Attack

On May 7, 2019, most of Baltimore's government computer systems were infected with the aggressive ransomware variant RobbinHood. All servers, with the exception of essential services, were taken offline. In a ransom note, hackers demanded 13 bitcoin (roughly $76,280) in exchange for keys to restore access. The note stated that if the demands were not met within four days, the price would increase and within ten days the city would permanently lose all of the data. [4] [5] [6] [7] [8] [9] [10] On May 25, security expert Nicole Perlroth speculated that the stolen NSA exploit EternalBlue was used to infiltrate the city's network vulnerabilities and initiate the attack, [11] though in a memoir published in February 2021, Perlroth recanted her original statement after concluding that the exploit was not in fact responsible. [12]

Baltimore was susceptible to such an attack due to its IT practices, which included decentralized control of its technology budget and a failure to allocate money its information security manager wanted to fund cyberattack insurance. [13] The attack has been compared to a ransomware attack on Atlanta the previous year, and was the second major use of the RobbinHood ransomware on an American city in 2019, as Greenville, North Carolina was also affected in April. [14]

Aftermath

The attack had a negative impact on the real estate market as property transfers could not be completed digitally due to the system being down, [15] [16] as the city's card payment system and debt checking application were rendered inaccessible. In addition, city employees were unable to use their email system and resorted to creating Gmail accounts as workaround. Google automatically blocked their accounts due to the large number of accounts created in that timespan, though the company later restored the Gmail accounts. [17]

The recovery, initially estimated to take several more weeks on May 20, [13] ultimately lasted until September. [18] Frank Johnson, Baltimore's IT director, was put on unpaid leave following the ransomware attack. Since becoming the city's IT director during the Pugh administration, Johnson had been criticized for not having a written disaster recovery plan and for his handling of the 2019 attack, which was estimated to cost the city $18 million. [18] He was replaced by deputy director Todd Carter, who later became the permanent IT director in February 2020 after Johnson left the role in October. [19]

Related Research Articles

Cyberterrorism is the use of the Internet to conduct violent acts that result in, or threaten, the loss of life or significant bodily harm, in order to achieve political or ideological gains through threat or intimidation. Emerging alongside the development of information technology, cyberterrorism involves acts of deliberate, large-scale disruption of computer networks, especially of personal computers attached to the Internet by means of tools such as computer viruses, computer worms, phishing, malicious software, hardware methods, and programming scripts can all be forms of internet terrorism. Some authors opt for a very narrow definition of cyberterrorism, relating to deployment by known terrorist organizations of disruption attacks against information systems for the primary purpose of creating alarm, panic, or physical disruption. Other authors prefer a broader definition, which includes cybercrime. Participating in a cyberattack affects the terror threat perception, even if it isn't done with a violent approach. By some definitions, it might be difficult to distinguish which instances of online activities are cyberterrorism or cybercrime.

Ransomware is a type of cryptovirological malware that permanently blocks access to the victim's personal data unless a "ransom" is paid. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem, and difficult-to-trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.

<span class="mw-page-title-main">Timeline of Internet conflicts</span>

The Internet has a long history of turbulent relations, major maliciously designed disruptions, and other conflicts. This is a list of known and documented Internet, Usenet, virtual community and World Wide Web related conflicts, and of conflicts that touch on both offline and online worlds with possibly wider reaching implications.

In computer security, a wiper is a class of malware intended to erase the hard drive or other static memory of the computer it infects, maliciously deleting data and programs.

Cyberweapons are commonly defined as malware agents employed for military, paramilitary, or intelligence objectives as part of a cyberattack. This includes computer viruses, trojans, spyware, and worms that can introduce malicious code into existing software, causing a computer to perform actions or processes unintended by its operator.

A cyberattack occurs when there is an unauthorized action against computer infrastructure that compromises the confidentiality, integrity, or availability of its content.

Regin is a sophisticated malware and hacking toolkit used by United States' National Security Agency (NSA) and its British counterpart, the Government Communications Headquarters (GCHQ). It was first publicly revealed by Kaspersky Lab, Symantec, and The Intercept in November 2014. The malware targets specific users of Microsoft Windows-based computers and has been linked to the US intelligence-gathering agency NSA and its British counterpart, the GCHQ. The Intercept provided samples of Regin for download, including malware discovered at a Belgian telecommunications provider, Belgacom. Kaspersky Lab says it first became aware of Regin in spring 2012, but some of the earliest samples date from 2003. Among computers infected worldwide by Regin, 28 percent were in Russia, 24 percent in Saudi Arabia, 9 percent each in Mexico and Ireland, and 5 percent in each of India, Afghanistan, Iran, Belgium, Austria, and Pakistan.

The Shadow Brokers (TSB) is a hacker group who first appeared in the summer of 2016. They published several leaks containing hacking tools, including several zero-day exploits, from the "Equation Group" who are widely suspected to be a branch of the National Security Agency (NSA) of the United States. Specifically, these exploits and vulnerabilities targeted enterprise firewalls, antivirus software, and Microsoft products. The Shadow Brokers originally attributed the leaks to the Equation Group threat actor, who have been tied to the NSA's Tailored Access Operations unit.

<span class="mw-page-title-main">WannaCry ransomware attack</span> 2017 worldwide ransomware cyberattack

The WannaCry ransomware attack was a worldwide cyberattack in May 2017 by the WannaCry ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency. It was propagated by using EternalBlue, an exploit developed by the United States National Security Agency (NSA) for Windows systems. EternalBlue was stolen and leaked by a group called The Shadow Brokers a month prior to the attack. While Microsoft had released patches previously to close the exploit, much of WannaCry's spread was from organizations that had not applied these, or were using older Windows systems that were past their end of life. These patches were imperative to cyber security, but many organizations did not apply them, citing a need for 24/7 operation, the risk of formerly working applications breaking because of the changes, lack of personnel or time to install them, or other reasons.

EternalBlue is a computer exploit software developed by the U.S. National Security Agency (NSA). It is based on a vulnerability in Microsoft Windows that allowed users to gain access to any number of computers connected to a network. The NSA knew about this vulnerability but did not disclose it to Microsoft for several years, since they planned to use it as a defense mechanism against cyber attacks. In 2017, the NSA discovered that the software was stolen by a group of hackers known as the Shadow Brokers. Microsoft was informed of this and released security updates in March 2017 patching the vulnerability. While this was happening, the hacker group attempted to auction off the software, but did not succeed in finding a buyer. EternalBlue was then publicly released on April 14, 2017.

<span class="mw-page-title-main">Petya (malware family)</span> Family of encrypting ransomware discovered in 2016

Petya is a family of encrypting malware that was first discovered in 2016. The malware targets Microsoft Windows–based systems, infecting the master boot record to execute a payload that encrypts a hard drive's file system table and prevents Windows from booting. It subsequently demands that the user make a payment in Bitcoin in order to regain access to the system.

<span class="mw-page-title-main">2017 Ukraine ransomware attacks</span> Series of powerful cyberattacks using the Petya malware

A series of powerful cyberattacks using the Petya malware began on 27 June 2017 that swamped websites of Ukrainian organizations, including banks, ministries, newspapers and electricity firms. Similar infections were reported in France, Germany, Italy, Poland, Russia, United Kingdom, the United States and Australia. ESET estimated on 28 June 2017 that 80% of all infections were in Ukraine, with Germany second hardest hit with about 9%. On 28 June 2017, the Ukrainian government stated that the attack was halted. On 30 June 2017, the Associated Press reported experts agreed that Petya was masquerading as ransomware, while it was actually designed to cause maximum damage, with Ukraine being the main target.

The city of Atlanta, Georgia was the subject of a ransomware attack which began in March 2018. The city recognized the attack on Thursday, March 22, 2018, and publicly acknowledged it was a ransomware attack.

REvil was a Russia-based or Russian-speaking private ransomware-as-a-service (RaaS) operation. After an attack, REvil would threaten to publish the information on their page Happy Blog unless the ransom was received. In a high profile case, REvil attacked a supplier of the tech giant Apple and stole confidential schematics of their upcoming products. In January 2022, the Russian Federal Security Service said they had dismantled REvil and charged several of its members.

Ryuk is a type of ransomware known for targeting large, public-entity Microsoft Windows cybersystems. It typically encrypts data on an infected system, rendering the data inaccessible until a ransom is paid in untraceable bitcoin. Ryuk is believed to be used by two or more criminal groups, most likely Russian or Ukrainian, who target organizations rather than individual consumers.

<span class="mw-page-title-main">Park Jin Hyok</span> North Korean computer programmer and hacker

Park Jin Hyok (Korean: 박진혁) is a North Korean programmer and hacker. He is best known for his alleged involvement in some of the costliest computer intrusions in history. Park is on the FBI's wanted list. North Korea denies his existence.

On May 7, 2021, Colonial Pipeline, an American oil pipeline system that originates in Houston, Texas, and carries gasoline and jet fuel mainly to the Southeastern United States, suffered a ransomware cyberattack that impacted computerized equipment managing the pipeline. The Colonial Pipeline Company halted all pipeline operations to contain the attack. Overseen by the FBI, the company paid the amount that was asked by the hacker group within several hours; upon receipt of the ransom, an IT tool was provided to the Colonial Pipeline Company by DarkSide to restore the system. However, the tool required a very long processing time to restore the system to a working state.

DarkSide is a cybercriminal hacking group, believed to be based in Russia, that targets victims using ransomware and extortion; it is believed to be behind the Colonial Pipeline cyberattack. It is thought that they have been able to hack and extort money from around 90 companies in the USA alone. The group provides ransomware as a service.

References

  1. 1 2 "The Curious Case of the Baltimore Ransomware Attack: What You Need to Know". Heimdal Security Blog. September 8, 2020. Retrieved April 17, 2022.
  2. "Baltimore's 911 emergency system hit by cyberattack". NBC News. March 28, 2018.
  3. "Catherine Pugh: Baltimore mayor resigns over book scandal". BBC.com. May 2, 2021.
  4. "A ransomware attack is holding Baltimore's networks hostage". Engadget.
  5. Song, Victoria (May 8, 2019). "Baltimore's Government Held Hostage by Ransomware Attack". Gizmodo.
  6. Gallagher, Sean (May 8, 2019). ""RobbinHood" ransomware takes down Baltimore City government networks". Ars Technica.
  7. Chokshi, Niraj (May 22, 2019). "Hackers Are Holding Baltimore Hostage: How They Struck and What's Next". The New York Times. ISSN   0362-4331 . Retrieved May 29, 2019.
  8. Liptak, Andrew (May 25, 2019). "Hackers reportedly used a tool developed by the NSA to attack Baltimore's computer systems". The Verge. Retrieved May 29, 2019.
  9. "Cyber-spies tight-lipped on Baltimore hack". BBC. May 27, 2019. Retrieved May 29, 2019.
  10. "Microsoft sounded alarm two years ago about NSA hacking tool that reportedly hit Baltimore". Baltimore Brew. Retrieved May 29, 2019.
  11. Perlroth, Nicole; Shane, Scott (May 25, 2019). "In Baltimore and Beyond, a Stolen N.S.A. Tool Wreaks Havoc". The New York Times.
  12. Perlroth, Nicole (February 9, 2021). This Is How They Tell Me the World Ends: The Cyberweapons Arms Race. Bloomsbury.
  13. 1 2 Gallagher, Sean (May 20, 2019). "Baltimore ransomware nightmare could last weeks more, with big consequences". Ars Technica. Retrieved May 21, 2019.
  14. Duncan, Ian; Zhang, Christine (May 17, 2019). "Analysis of ransomware used in Baltimore attack indicates hackers needed 'unfettered access' to city computers". The Baltimore Sun. Retrieved May 28, 2019.
  15. Duncan, Ian. "Home sales are held up; Baltimore ransomware attack cripples systems vital to real estate deals". baltimoresun.com.
  16. Stewart, Emily (May 21, 2019). "Hackers have been holding the city of Baltimore's computers hostage for 2 weeks". Vox. Retrieved May 21, 2019.
  17. Lecher, Colin (May 23, 2019). "Google shut out Baltimore officials using Gmail after ransomware attack". The Verge. Retrieved April 17, 2022.
  18. 1 2 Duncan, Ian (September 10, 2019). "Baltimore IT director who was at helm during ransomware attack and city's recovery is on leave". Baltimore Sun. Retrieved April 17, 2022.
  19. staff, Stephen Babcock / (February 13, 2020). "Todd Carter named director of Baltimore City Office of Information and Technology". Technical.ly. Retrieved April 17, 2022.