Security

Why Ransomware Encrypted Baltimore's Systems and How It Could Have Been Prevented

May 28, 2019

As these attacks show, failing to take preventative measures can have catastrophic effects. Here are a few tips to protect against ransomware attacks.

AvatarImg
Zach CapersSr Specialist Analyst

Since early May, the city of Baltimore has been under siege by ransomware. The offending ransomware, called Robinhood, has encrypted data needed to perform several city services, and its creators are demanding a payment of 13 Bitcoins-about $113,000-to restore the city’s files.

Ransomware attacks on cities have been increasing around the country. For example, in March 2018, Atlanta was compromised by a ransomware attack that ended up costing taxpayers millions of dollars.

Remarkably, this isn’t even Baltimore’s first experience being held hostage by malware. Only a year ago, ransomware encrypted a server that powers the city’s 911 dispatch system, temporarily halting emergency services.

Why ransomware encrypted Baltimore's files

For several years, ransomware has been one of the most pervasive and effective cybersecurity threats. Ransomware is malicious software that locks your computer and demands a ransom to regain access. A more severe variant is cryptoviral ransomware, which actually encrypts the stored files. The RobinHood variant affecting Baltimore falls in the latter category.

Large public institutions such as municipalities, hospitals, and universities are prime targets for ransomware schemes. These organizations typically hold large volumes of personally identifiable information (PII) and regulated data. For hospitals, regaining access to files can be life or death, which often leads to quick ransom payments.

Additionally, these institutions often don’t-or can’t-allocate sufficient funds for IT security, typically scraping by with minimal staff, outdated equipment, and unpatched systems. Moreover, these institutions usually can’t afford the downtime that comes with upgrading or updating such large and diffuse IT systems.

How to prevent a ransomware attack

As these attacks have shown, failing to take preventative measures can have catastrophic effects. Here are a few tips on how your organization can protect against ransomware attacks.

Regularly patch all systems

Interest in ransomware clearly peaked in mid-2017 when WannaCry ransomware exploded onto the scene, affecting hundreds of thousands of machines around the world within hours.

Google search data for ransomware since 2016; the spike is WannaCry (Source)

However, despite being one of the most publicized cyberattacks of recent years, countless vulnerable computers around the world still haven’t been patched-nevermind that Microsoft had published system updates several months before WannaCry swept the globe that would have prevented its outbreak in the first place.

And guess what-RobinHood ransomware is based on the same EternalBlue exploit that was used in WannaCry and the more recent NotPetya ransomware attacks. The fact that EternalBlue was designed by the NSA and is now being used against American cities is a fascinating part of this story that is beyond the scope of this article.

All of this is to say that regularly patching systems is one of the most critical yet overlooked aspects of IT security. Check out our recent article about software exploits and patch management for detailed strategies.

Back up your data

There’s no excuse for ransomware bringing a city to its knees: Even the worst attack can be overcome with a solid backup strategy. Because of the threat of a ransomware attack, natural disaster, or any number of other destructive events, having a disaster recovery plan in place is essential in 2019.

With the advent of cloud-based software and data storage, continuously backing up end-user data to off-site storage is simple.

Settings in cloud backup software CrashPlan (Source)

Adopt endpoint security software

Invest in an endpoint protection platform to protect computers and devices from emerging threats. Ensure that it includes next generation antivirus (NGAV) capable of identifying newer incarnations of malware that can’t be detected by traditional signature-based programs.

The inclusion of artificial intelligence and machine learning in many of these platforms can help to reduce the threat of continually evolving threats such as ransomware. These platforms also commonly include enhanced rollback options that allow users to negate the effects of a ransomware attack by restoring files to a previous point in time.

2 steps to take if you're attacked by ransomware

Even the best prevention and recovery plans go awry, and IT security software can’t stop every attack. Here are some tips to deal with ransomware if all else fails.

1. Try to decrypt your files

If you suddenly find that ransomware encrypted your files after trying to watch a funny cat video, stay calm and try to decrypt. There are many resources out there that can help, including the nonprofit No More Ransom project. The organization maintains an archive of free applications and decryption keys that can sometimes resolve a ransomware attack.

If that doesn’t work, attempt communication with the hackers via the email address typically provided in the ransom message. Try to arrange a small payment in exchange for a trial key to ensure the files can actually be decrypted. Contact with the hackers might also facilitate a lower ransom payment.

If no dialogue can be established, or if the email address is found to be invalid, it’s probably a bad idea to consider paying the ransom.

2. Pay the ransom-if you must

Though some ransomware attackers, such as Baltimore’s, demand hundreds of thousands of dollars, most settle for a few hundred bucks. This is because you’re more likely to pay $500 to regain access to your $1,600 MacBook than to pay several times its value. And even if you’ve properly backed up your files, you still want to use your computer.

But paying the ransom doesn’t always work. Victims commonly send the requested cryptocurrency only to never receive the decryption keys in return. For this reason, paying the ransom should be a last resort.

Still, paying the ransom works more often than it doesn’t. In fact, some reports indicate that only one out of five businesses don’t regain access to their files after paying the ransom. That’s a surprisingly solid 80% success rate. You definitely shouldn’t trust a thief, but if victims never get their files back, the whole scheme falls apart. Therefore, it’s in the hacker’s best interest to decrypt your files.

Invariably, payment is required in one of a plethora of cryptocurrencies. Bitcoin is the most common, but many hackers prefer more anonymous currencies such as Monero, Dash, or Zcash.

To purchase cryptocurrency, first establish an account with a reputable exchange where you can buy the most common currencies. You might then need to transfer them to a second, and perhaps less reputable, exchange to obtain more obscure cryptocurrencies.

Keep in mind that if you store cryptocurrencies outside of an exchange, it is critical to keep track of the keys. Much like ransomware, if you don’t have the keys, you can’t regain access.

Next Steps

Ransomware is as effective as it is destructive-and it’s only getting worse. Statistics show that attacks have been rising steadily over the last few years. Fortunately, there are many ways to prevent the worst effects of attacks, whether ransomware encrypted your laptop or the city’s most important servers.

So Baltimore: Pretty please, with sugar on top, consider paying the ransom, try to shift a little more of the budget over to IT security, and get everyone in a room to work on improving your disaster recovery plan.

Read more about recent cyberattacks


The applications selected are examples to show a feature in context and are not intended as endorsements or recommendations.

Note: This document, while intended to inform our clients about the current data security challenges experienced by IT companies in the global marketplace, is in no way intended to provide legal advice or to endorse a specific course of action.

avatar
About the author

Zach Capers

Sr Specialist Analyst
Zach Capers is a senior analyst at GetApp, covering IT security, data privacy, and emerging technology trends. A former internal investigator for a Fortune 50 company and researcher for the Association of Certified Fraud Examiners (ACFE), his work has been featured in publications such as Forbes, Business Insider, and Journal of Accountancy.
Visit author's page