Google disables Baltimore's Gmail accounts used during ransomware recovery

Thank you for supporting our journalism. This article is available exclusively for our subscribers, who help fund our work at The Baltimore Sun.

Gmail accounts used by Baltimore officials as a workaround while the city recovers from the ransomware attack were disabled because the creation of a large number of new accounts triggered Google’s automated security system, a spokesman for the company said.

Lester Davis, a spokesman for Mayor Bernard C. “Jack” Young, said city employees began realizing there was a problem Thursday morning and were able to talk to senior executives at Google later in the day to resolve the issue.


“They know Baltimore is dealing with a sensitive situation,” Davis said. “I don’t think it was ever their intent to be disruptive. … They stepped in and overruled the machines.”

James Bentley, another spokesman for Young, initially said the city had been told by Google that the accounts were “circumventing” the paid service the city would need for a business account.


Emails sent Thursday to addresses used by City Council President Brandon Scott, two City Council aides, a Health Department spokesman and an aide to the mayor were all sent back with a message: “The email account that you tried to reach is disabled.”

Brooks Hocog, a Google spokesman, said the company had restored access to the affected accounts. He said an automated security system “disabled the accounts due to the bulk creation of multiple consumer Gmail accounts from the same network.” A Google system detects when a large number of accounts is being created in one place and steps in because they might be used to send spam or commit fraud.

Google provides both a free Gmail service and a paid system for businesses and other organizations. The reason for the misunderstanding over the cause of the suspensions was not clear, but the creation of a large number of new addresses on a business account would not have been treated as suspicious by Google’s system.

Mona Rock, a spokeswoman for the Health Department, said she logged in Thursday morning and could see old messages but not send or receive messages. She said there was no notice showing why the account wasn’t working.

The ransomware struck Baltimore municipal government on May 7, locking up the city’s records, shutting down the online payment system and grinding the real estate market temporarily to a halt. It also knocked out email addresses. The hackers behind the attack demanded payment in the digital currency bitcoin to turn over the keys to the files.

The mayor’s office has said it could takes months to recover. The FBI and the Secret Service are investigating. On Thursday, members of Maryland’s congressional delegation requested a briefing on the attack from federal law enforcement.

Citing the investigation and concerns about giving hackers clues about the city’s weaknesses, city officials have been reluctant to share many details about how the incident happened or how they have been responding.

But Sheryl Goldstein, a newly hired deputy chief of staff to Young, said in an interview the city has divided its response between a forensic team and a recovery team. Goldstein, who started work Monday, has been assigned to oversee the response.


Breaking News Alerts

As it happens

Be informed of breaking news as it happens and notified about other don't-miss content with our free news alerts.

The forensic team is focused on hunting the malicious computer code that allowed hackers to lock city files. The ransomware is a new variant called RobbinHood. A researcher who has studied it says it relies on the attacker gaining “unfettered access” to the victim’s system. Goldstein said each of the city’s computers needs to be checked.

“Every machine that was potentially impacted and every server that was potentially impacted has to be assessed,” she said.

Meanwhile, the recovery group is working to bring back systems such as email and databases. That team is proceeding cautiously.

“The first step is to create a safe environment in which you can slowly start bringing things back online, making sure there’s nothing in there that’s problematic,” Goldstein said. “It is preferable for us to be safe and do it right than to do it fast.”

Goldstein declined to say when computer systems might begin coming back online. But she pointed to Atlanta, which suffered a similar attack last year, saying it was about six months until services were restored to something like full capacity and that the recovery was still going on a year after the incident.

In the meantime, officials have been developing new ways to get work done. Some employees have been using laptops — either ones issued by the city or their own — and public wifi. The Finance Department developed a new system for guaranteeing that sellers would clear outstanding debts against properties, getting the real estate market moving again. And many officials have been using Gmail accounts to communicate.


Google’s move bears some similarity to a decision by mobile internet provider Verizon to slow down a data connection being used by firefighters in California last year as they responded to the Mendocino Complex wildfire. Verizon later acknowledged it had made a mistake.