Ransomware Cyberattacks Knock Baltimore's City Services Offline

May 21, 2019
Originally published on May 21, 2019 5:35 am

Anonymous hackers breached the city of Baltimore's servers two weeks ago. Since then, those servers' digital content has been locked away — and the online aspects of running the city are at an impasse.

Government emails are down, payments to city departments can't be made online and real estate transactions can't be processed.

Imagine if somebody would sneak into a government building at night, load up a bunch of boxes with all the paperwork for all ... the pending business that the city was conducting, put it all in a truck and drive away — and demand some money in order to bring that truck back. - Avi Rubin, Johns Hopkins University

Hackers demanded 13 bitcoins — worth about $100,000 today — to relinquish their grip. Baltimore City Mayor Jack Young has said the city won't pay. The FBI and Secret Service are investigating, and the city has contracted with a series of experts to assist in restoring service.

The cyberattack is just one of more than 20 made on municipalities this year — and cybersecurity experts say it likely will take months for the city to recover.

"Imagine if somebody would sneak into a government building at night, load up a bunch of boxes with all the paperwork for all the pending permits and all the pending house closings and all the pending business that the city was conducting, put it all in a truck and drive away — and demand some money in order to bring that truck back," said Avi Rubin, a Johns Hopkins computer science professor and cybersecurity expert.

"That's a lot easier to do in cyberspace without getting caught," he said. "And that's what's happened here."

An unbreakable algorithm

The hackers used a ransomware called RobinHood — an extremely powerful and malicious program that makes it impossible to access server data without a digital key. Replicating that key without the hackers is impossible, says Rubin, who has testified about his field before Congress.

"I don't even think that the NSA would be able to break this algorithm," he said. "It's believed by the cryptographic community, both the theoreticians as well as the practitioners, to be unbreakable by today's technologies."

The city of Atlanta was attacked with ransomware in March 2018 — its digital civic services similarly ground to a halt. The Atlanta Journal-Constitution reported it cost the city $17 million to recover.

Baltimore officials have said they've turned to their peers in Atlanta for advice on how to deal with the ongoing disruptions.

That attack "should have been an alarm for many other cities," Rubin said. "All you need is one link in the chain and that's what the attackers will go after."

Those weak links are often preventable vulnerabilities like old hardware and old software, both of which Baltimore was using.

The city of Baltimore, like many local governments, was not at all prepared for something like this. - Avi Rubin, Johns Hopkins University

Medical records protected

Rubin is also the director of the Health and Medical Security Lab at Johns Hopkins. When malware attacks became more common a few years ago, hospitals were hackers' favorite targets — medical records are very valuable and are time-sensitive since they're needed to treat patients.

Hospitals responded quickly to the threat of malware by bolstering cybersecurity with new hardware and software, Rubin says, and are largely no longer affected by bad actors.

"However," he said, "the city of Baltimore, like many local governments, was not at all prepared for something like this. And if it's never happened, it's only natural to say, 'well, this type of thing has never happened before, so why should we spend a lot of money on it?' "

Rubin agrees with Mayor Young's decision not to pay the ransom for that key. If no one attacked by malware paid the ransom, "these attacks would just completely go away," he said.

Unfortunately, Rubin said, many private companies quietly pay, which has encouraged hackers to keep up ransomware attacks.

One analysis from CyberEdge found that 45% of organizations hit with ransomware end up paying a ransom. Another, from RecordedFuture, found that at least 17% of state and local government entities pay.

With no key, Rubin said the city will have to rebuild its servers from the ground up. That will likely take months, he said, and will involve implementing new hardware and software and restoring any data the city may have backed up.

Frustrated homebuyer

In the meantime, Baltimore residents are frustrated that there wasn't a plan for cyber catastrophes.

"The fact that you have a completely unsustainable computer system with no plan in place for when something like this happens after watching it happen to countless other cities — it's frustrating and disappointing," said Ashley Merson, a 31-year-old nanny.

Merson has been scrimping and saving for a house for four years. She paid off her debts, got her credit score up and finally was able to make an offer on a two-bedroom duplex house. She is more than ready to leave her low-income apartment complex, where she, her young son and disabled brother squeeze into a one-bedroom.

But just as she was about to settle on that house, the malware attacks struck.

"The process of buying a house is so long and tedious anyway," Merson said. "Waiting is tough."

City officials announced the development of a multistep "manual workaround" plan on Monday, nearly two weeks after city servers were first breached.

Merson hopes the now-heavy backlog of homebuyers won't delay her move-in any further. Rent at her apartment complex will increase significantly "sometime in the near future," she said.

If that happens while her family is still in limbo, Merson said, "then it's just going to be a pretty crappy situation."

Copyright 2019 WYPR - 88.1 FM Baltimore. To see more, visit WYPR - 88.1 FM Baltimore.

STEVE INSKEEP, HOST:

A hostage situation continues today in Baltimore. To be clear, the hostage is not a person. It's data. Two weeks ago today, hackers breached city servers, and many digital city services are no longer accessible as a result. Experts say restoring those services could take months because the city is not willing to pay the ransom. From member station WYPR, Emily Sullivan reports.

EMILY SULLIVAN, BYLINE: Hackers used an extremely malicious type of ransomware, called RobinHood, to pull off the heist. They're demanding about $100,000 in bitcoin to unlock their grip on city servers by giving up a digital key to all that data. That data ranges from legislative bills to online payments for water and parking tickets. Even the city's lien system is frozen, meaning no real estate sales can happen.

AVI RUBIN: Imagine if somebody would sneak into a government building at night, load up a bunch of boxes with all the paperwork for all the pending permits, and all the pending house closings, and all the pending business that the city was conducting, put it all in a truck and drive away and demand some money in order to bring that truck back to give back all the papers.

SULLIVAN: That's Avi Rubin, a Johns Hopkins professor and a cybersecurity expert. Baltimore Mayor Jack Young has said the city won't pay the ransom demand. Rubin says there's no way any federal agency could replicate the key needed to unlock the data.

RUBIN: I don't even think that the NSA would be able to break this.

SULLIVAN: And that means Baltimore will essentially have to painstakingly rebuild its online systems. And as expected, residents here are not happy about it. Many think the city should have been prepared for a cyberattack, especially after Atlanta was hit by a malware last year and made national news. Local reports say it cost Atlanta $17 million to recover from the attack. Baltimore was using older hardware and software, which are more vulnerable. Avi Rubin doesn't blame the cash-strapped city for falling victim. That kind of attitude appears commonplace.

RUBIN: It costs a lot of money to prepare for something like this. And if it's never happened, it's only natural to say, well, this type of thing has never happened before so why should we spend a lot of money on it?

SULLIVAN: At least 20 municipalities and Cleveland's airport were hit by similar malware attacks in recent months. Private companies are targeted all the time, and ransoms do get paid, providing hackers motivation to keep up attacks. Years ago, it was hospitals being attacked, and most bolstered security. But it's harder for a city like Baltimore to spend a lot of money on what can feel like an abstract threat. Rubin says hopefully this latest cyberattack will change that.

RUBIN: It should be an early warning sign to a lot of other cities that they need to beef up their security, and they need to beef up their IT. They need to get more modern computer systems, use the cloud.

SULLIVAN: Ashley Merson (ph) has been under contract for a two-bedroom house for over a month now. She's frustrated that the real estate system didn't have a paper backup in place.

ASHLEY MERSON: The fact that you have a completely unsustainable computer system with no plan in place for when something like this happens after watching it happen to countless other cities, it's frustrating and disappointing.

SULLIVAN: Yesterday, nearly two weeks after the attacks, officials introduced a non-digital workaround for home buying, involving lots of paper. Meanwhile, as the cyberattack continues, officials say they'll try to come up with paper workarounds for other city services.

For NPR News, I'm Emily Sullivan in Baltimore. Transcript provided by NPR, Copyright NPR.