Baltimore city government computers were infected with ransomware Tuesday, the mayor’s office said, the second time in just over a year that hackers demanding payment disrupted the city’s technology systems.
“Employees are working diligently to locate the source and extent of the infection,” said Lester Davis, a spokesman for Democratic Mayor Bernard C. “Jack” Young.
Davis said critical systems, including 911 and 311, were not been affected, but that the majority of city servers were shut down. The effects ranged from a City Council committee canceling a hearing on gun violence to water customers being unable to get billing questions answered.
By the afternoon, Davis said, city teams had the ransomware quarantined. But the cause and scale of the problem was not clear Tuesday evening and Davis did not know when the affected systems would be back online.
Dave Fitz, a spokesman for the FBI’s Baltimore office, said agents from its cyber squad were assisting the city.
A similar attack affected the city’s phone system last year, shutting down automated dispatches for 911 and 311 calls.
Don Norris, a professor emeritus at the University of Maryland, Baltimore County, said the city’s repeat victimization underscores how municipal governments struggle to keep computer networks safe.
“You’ve got increasingly sophisticated and very persistent bad guys out there looking for any vulnerability they can find and local governments, including Baltimore, who either don’t have the money or don’t spend it to properly protect their assets,” said Norris, who surveyed local government leaders about computer security in 2016.
“I’m not surprised that it happened,” he said, “and I won't be surprised when it happens again.”
Ransomware works by locking up files using encryption so users can’t access them. The hackers then demand payment to provide the cyber keys to unlock the files, typically in the hard-to-trace digital currency bitcoin.
Davis said the new attack in Baltimore was similar to one that affected the city of Greenville, North Carolina, last month.
The ransomware variant in that case was identified as RobbinHood, a new form about which little is known. The Baltimore Sun obtained a copy of a ransom note left on a Baltimore city computer; it also identified the ransomware as RobbinHood.
Democratic City Councilman Ryan Dorsey said at least some City Hall staff were told Tuesday to disconnect computers and other devices from the internet.
“Everybody has been instructed to unplug the Ethernet cable and turn off power to their computers, printers and such,” Dorsey said. “It’s apparently spreading computer to computer.”
Davis said that was not the official guidance from the city’s IT office, which asked people to simply leave their computers in whatever state they found them.
A computer security news site, Bleeping Computer, reported that RobbinHood did not appear to spread by spam email, but how it infected computers was not certain.
The ransom message on Baltimore’s computer system said RobbinHood used a file-locking virus that encrypts files to take them hostage. The note demanded payment of 3 Bitcoins (equivalent to about $17,600 at current prices) per system, or 13 Bitcoins (worth about $76,280) in exchange for freeing all the city’s systems.
“We’ve watching you for days and we’ve worked on your systems to gain full access to your company and bypass all of your protections,” the ransom note said.
It said that ransom must be paid within four days, or the price would go up, and that after 10 days, the city would not be able to get its data back.
The note warned the city against calling the FBI, saying that would prompt the attackers to cut off contact. It also said that attempts to use anti-virus software would damage the city’s files. The ransomware’s procedures are automated, the note said, “so don’t ask for more times or somethings like that.”
“We won’t talk more, all we know is MONEY!” the note said. “Hurry up! Tik Tak, Tik Tak, Tik Tak!”
Christopher Elisan, director of intelligence at Flashpoint, a New York-based computer security company, said the writing style in the note doesn’t necessarily indicate a foreign hacker. Some U.S.-based attackers use incorrect spellings and grammar or operate during the working hours of other countries to deceive victims and investigators.
“Digital evidence can be faked,” he said.
Elisan said the relatively small ransom demand suggested the attack was not targeted.
Organizations infected with ransomware can choose to pay up — something Davis said the city would not do — use a backup or live with the loss of the data.
Renaud Deraison, the co-founder of Columbia cybersecurity firm Tenable, said the best defense against being infected is keeping computer systems up to date. Ransomware and other kinds of attacks rely on known weaknesses in Windows software, he said, and can be blocked when users regularly install updates with patches.
“It’s not just bad luck. There is a root cause for all these viruses spreading around,” Deraison said.
The Department of Public Works was the first to disclose Tuesday’s problems, tweeting at 8:54 a.m. that its email service was down. In a subsequent message, it said customer service phone lines also were not working. A DPW website for paying water bills also appeared to be out of order.
Dorsey said the last city email he received on his phone came through at 1:14 a.m.
By 4 p.m., the lobby at City Hall was flooded by departing employees who appeared to be leaving early for the day. In addition to the City Council public safety committee hearing that was scrapped, a City Hall employee said most other scheduled events were canceled.
The outage also prevented the city Department of Transportation's impound lot on Pulaski Highway from taking in towed vehicles Tuesday, said Frank Murphy, the acting transportation director.
“I don’t know the specifics” of the outage, Murphy said. “Never a dull moment.”