Baltimore City

Authorities investigating claim that Baltimore ransomware group leaked documents to Twitter

A sign on the front of the Abel Wolman Municipal Building warns visitors that "SYSTEMS ARE DOWN." Baltimore City real estate transactions are still being handled at a slower pace, even with a "workaround" installed to compensate for the ransomware attack on the city's computers.

Baltimore and federal authorities are investigating documents posted to a Twitter account that appeared to be tied to the hackers behind the city ransomware attack, a spokesman for Mayor Bernard C. “Jack” Young said Tuesday.

Before it was suspended Monday, a Twitter account claiming to be the hackers behind the ransomware attack in Baltimore had been publicly taunting Young for weeks — posting faxes and other materials the tweets said were evidence that they had been inside the city’s network.


One of the documents the account linked to included a detailed assessment of a woman’s medical history.

“That was not a simple ransom. It’s more,” the account posted May 12, along with an image of what appear to be faxes sent to the city, along with technical data.


Lester Davis, a spokesman for Young, said there’s currently no evidence that any personal data was breached in the attack. Nonetheless, Davis said the documents were being investigated.

“Authorities are aware of them,” Davis said. “We’re hoping to properly investigate and be transparent with our process.”

In a direct message to a Baltimore Sun reporter on Twitter, the account claiming to be the hackers said it had “financial documents and citizens [sic] personal information” and threatened further leaks.

“If you don’t like to see all of them in the darknet, tell to mayor!” the account said.

The account posted a link to a May 2 medical evaluation that appears to have been faxed to a lawyer for the city. The evaluation is connected to a lawsuit filed against the city. A lawyer for the woman who brought the case did not respond to a request for comment.

The account also shared what appears to be the cover page of a fax from a doctor’s office sent to a different city lawyer as part of a workers’ compensation case. The person identified as the claimant in the document confirmed that he had an active case involving the city, but said he didn’t know anything about the purported fax.

If the investigation finds data was taken that includes legally protected personal information — including social security or driver’s license numbers and health records — the city would be required to notify the Maryland Attorney General’s office and anyone whose information was compromised.

The ransomware attack began on May 7, shutting down city computer systems — many of which remain offline four weeks later — and costing taxpayers an estimated $18.2 million. The attackers used a ransomware variant called RobbinHood to encrypt city data and demanded payment to unlock the files.


Members of Maryland’s congressional delegation said Tuesday after a briefing by the National Security Agency that the city was infected via a phishing email — a message designed to trick potential victims into letting hackers into their computer network.

It’s unusual for hackers involved in spreading ransomware to publicly taunt their targets, but other kinds of hackers have been known to do so. It’s also unusual for a hacker spreading ransomware to also steal data.

In response to a Baltimore Sun reporter’s direct message Monday asking the user of the Twitter account to prove they were connected to those behind the ransomware, the Twitter handle and one of its tweets were posted to a page on the dark web where security researchers say the city was directed to go to communicate with the ransomware hackers.

Joe Stewart, a consultant working with security firm Armor, has been tracking the incident in Baltimore. Stewart said the posting of the tweet to the dark web page leaves him with “no doubt” that the hackers were behind the Twitter account.

Breaking News Alerts

Breaking News Alerts

As it happens

Be informed of breaking news as it happens and notified about other don't-miss content with our free news alerts.

“There’s no scenario where this could be anyone other than the attacker on Twitter,” he said.

Stewart said his analysis of the RobbinHood ransomware indicates it’s designed to be rented out for use, meaning it could be used by hackers of even limited technical ability. He said the Twitter taunts could be part of a kind of marketing campaign to advertise the ransomware to subscribers.


A Twitter spokeswoman said the account was suspended for breaking the service’s rules about sharing “hacked materials.”

The rules cover cases both were a user claims to have hacked material or in which Twitter has independently determined an account is linked to a particular hack. The spokeswoman declined to say which provision applied to the account claiming to be the Baltimore hackers.

Young has said repeatedly he wouldn’t pay the ransom, which was set at the equivalent of about $76,000 in bitcoin on the day the attack started.

The Twitter account urged the mayor to reconsider and even offered to unlock five machines for free.

“Hey @mayorbcyoung listen to me: the rule No. 1 to any #ransomware, is serving stable recovery for victims,” a May 25 tweet read. “People are not fool. You can freely decrypt 3 files, and several server with a low payment! You just do NOTHING! You are the only person that is responsible for this s---!”