Baltimore City

'It is preferable for us to be safe': Baltimore ransomware recovery going slowly so defenses can be hardened

Baltimore’s IT team will only slowly bring computer systems back online so that it can ensure they’re more secure following the ransomware attack that hobbled city services, a senior aide to Mayor Bernard C. “Jack” Young said Wednesday.

Sheryl Goldstein, a deputy chief of staff given the job of overseeing the response to the cyberattack, said staff are split into a forensic team and a recovery team.


The first is focused on hunting the malicious computer code that allowed hackers to lock city files.

“Every machine that was potentially impacted and every server that was potentially impacted has to be assessed,” Goldstein said.


Meanwhile, the recovery group is working to bring back systems such as email and databases. That team is proceeding cautiously.

“The first step is to create a safe environment in which you can slowly start bringing things back online, making sure there's nothing in there that's problematic,” Goldstein said.

Goldstein’s comments are the most extensive by a city official since the ransomware was discovered May 7. Officials have been reluctant to share much information about the attack or the city’s recovery, not wanting to impede a federal investigation or to share information that hackers could use to target the city again.

Ransomware involves hackers encrypting the victims’ data and demanding payment for the keys to unlock them. In Baltimore’s case the attackers wanted the equivalent of $76,000 in bitcoin, but Young has repeatedly said the city won’t pay.

The attack knocked out email for city employees and took down the city’s ability to accept card payments for services. Most dramatically, it halted the city’s real estate market because the finance department could not verify that outstanding debts lodged against properties had been cleared.

But some city employees have been able to use laptops — their own or those issued by the city — and public Wi-Fi to do work. Other jobs are being done by hand.

On Monday, the city launched a workaround to get property sales moving again and Goldstein said after a slow start that paperwork is being processed about as fast as it was on computers before the attack.

“We’re getting back to a place where operations while different are at normal levels of service,” she said.


Breaking News Alerts

As it happens

Be informed of breaking news as it happens and notified about other don't-miss content with our free news alerts.

Officials want residents to contact 311 if they find there’s a service they can’t access during the outage.

Goldstein declined to say when computer systems might begin coming back online. But she pointed to Atlanta, which suffered a similar attack last year, saying it was about six months until services were restored to something like full capacity and that the recovery was still going on a year after the incident.

“It is preferable for us to be safe and do it right than to do it fast,” she said.

Goldstein also said officials are looking to the beginning of the new fiscal year on July 1 to ensure that property tax bills are issued correctly.

But Goldstein stressed that just because city leaders weren’t providing a public timeline doesn’t mean some systems won’t be back online soon.

The ransomware attack is the second the city has suffered in just over a year. After the previous incident, the Baltimore’s IT leaders warned that the city needed to take new precautions, but it’s not clear what steps had been taken before the fresh attack.


Goldstein started in the mayor’s office Monday and said she was still in the process of gathering information about the previous incident and the response.