The Baltimore Ransomware attack
On 7th May of 2019, the American city of Baltimore, was attacked by a ransomware. The ransomware that caused chaos in Baltimore was identified as ‘robinhood’ by IT experts. The Robinhood ransomware is a relatively new ransomware variant, according to The Baltimore Sun. The authorities and the technical experts who identified the ransomware have not yet named any specific groups behind the attack. Most of the times it turns out, such kind of attacks are often carried out by Russian or Eastern European hackers.
Baltimore was the second city in U.S to fall victim to this new strain of ransomware after Greenville, North Carolina. Baltimore was the second major city in the country with a population of over 500,000 which got hacked by ransomware in two years, after Atlanta was attacked the previous year.
- Attack Effects:
- As soon as, the F.B.I got notified about the attack, they took the systems offline. Despite the actions taken by F.B.I Baltimore’s many servers got affected due to the ransomware. Many parts of the computer systems that run Baltimore’s government were seized by the hackers.
- Before F.B.I could take proper actions to stop it, the ransomware took down voice mail, email, a parking fines database, system used to pay water bills, property taxes and vehicle citations. The attack caused delay in at least 1500 pending home sales.
- Threat:
- The crypto-currency Bitcoin’s prices fluctuate wildly. To unlock the seized files, at the given price it would have cost $17,000 per system for the city’s authorities. Summing it all up it would have cost $75,000 to access all the data back on the day of attack.
- The note dictates – “We won’t talk more all we know is MONEY!”
- The note stated that if the demands were not met within 4 days, the price would increase. With that it also stated that if they kept on delaying the payment, within 10 days the city would permanently lose all of the data.
- The attack had a negative impact on the real estate market as property transfers could not be completed until the system was restored on May 20th.
- As of 13 May, 2019 all systems still remained down for city employees. It was estimated that it would take weeks to recover. However, the restoration of all systems was, as of May 20, 2019, was estimated to take more weeks.
- RobinHood Ransomware:
- RobinHood ransomware is one of the more interesting ransomware variants to have appeared on the ransomware category recently. It was originally coded in Go programming language and then compiled to a 32-bit executable.
- The ransomware encrypts the victim’s hard drive with the RSA+AES cryptographical combination. This further instructs the victim to reach out to the hackers via Onion Tor website. The RobinHood ransomware sends the victim a notification file on the desktop. This notification has details on the demands and how to make contact with them.
- The attackers make use of the contact and claim the victims to make a decryption tool available. Which thereby allows the victim to recover their precious files, in return for payments made in bitcoin.
- More evidence that too many organizations still fail at disaster planning: Baltimore says its ransomware recovery has been hampered because there was no IT policy ensuring that all PCs were being centrally backed up. As a result, numerous files that were crypto-locked in its May 7 attack have reportedly been lost forever.
- Baltimore isn’t alone:
- On April 10, the officials in Greenville, N.C., discovered that they too, were the victims of a RobbinHood attack. The city declined to pay the ransom, and the attack remained under investigation by the F.B.I., Mayor P.J. Connelly said by email. According to Allan Liska, an analyst from a cybersecurity firm, the first known ransomware attack was carried out three decades ago.
- In 1989 attack, disks claiming to offer information about AIDS were mailed to more than 10,000 people around the world. Each file had software designed to hack into a computer’s files. But ransomware attacks have been carried out much more frequently in recent years.
- Mr. Liska says “The reason for the modern rise in ransomware, and frankly the wild success, is directly attributable to Bitcoin and other cryptocurrencies”. That’s not the end, if you trace the current era back to 2013, the police department in Swansea, Mass, was infected by a malware known as CryptoLocker.
- There have been at least 169 incidents of state and local governments getting attacked by such ransomwares since that year. Although the estimate is probably low because governments don’t always publicize such attacks.In the above cases about 70 percent of state and local governments refused to pay a ransom, while 17 percent did. While for the rest of the remaining cases, outcome could not be determined.
- Prevention to ransomware:
- Baltimore city’s outdated approach to backups was the reason for such vulnerability. This issue came to light in the city council committee meeting, when Baltimore City Auditor Josh Pasch said that the IT department couldn’t keep a track of whether they were meeting goals, including modernizing mainframe applications and making more data accessible to residents via the city’s website.
- Maintaining proper backup and recovery operations is very critical to recovering from ransomware. Since many ransomware strains can crypto-lock all network shares mounted to a PC, or systems connected to a server. Hence organizations also need to ensure they’re storing recent backups offline, so the backups don’t get crypto-locked by malware.
- But backups are only one part of the challenge. Organizations also need to ensure that they have a well-designed restoration processes in place, ideally to be able to rapidly restore all systems in short amount of time.
- “Ransomware puts new requirements on backup. Due to which instead of recovering a few files one may have to recover many systems and applications at the same time” says an information security expert William H. Murray who wrote in one of the recent SANS Institute-newsletter. With the need of these new requirements, one should revisit one’s backup strategy before a ransomware attack. However, due to the availability of such safe backups the speed of recovery increases drastically.
Like reading articles on malware attacks and cyber security?
Take a look at one some of our other articles given here: