Analysis of ransomware used in Baltimore attack indicates hackers needed ‘unfettered access’ to city computers

Officials in the eastern North Carolina city of Greenville arrived to work one morning in early April to find the files on some 800 of their computers locked up.

More than five weeks later, they’re still recovering from the debilitating cyberattack.


The city of around 92,000 realized April 10 it had fallen prey to hackers — the first known victim of a new strain of so-called ransomware dubbed RobbinHood. Somehow, the attackers gained access to a city administrative account, allowing them to take over the system and sow the virus one computer at a time.

“Once it had that, it was able to lock our servers and files and everything,” Greenville spokesman Brock Letchworth said.


As Greenville fought to revive its systems, Baltimore became RobbinHood’s second apparent victim, knocking email and payment systems offline and grinding the city’s real estate market to a halt.

Because the strain is new, it can slip past anti-virus tools and relies on hackers gaining what one security researcher called “unfettered access” to a victim’s system days or perhaps even weeks in advance.

“This is a targeted ransomware,” said researcher Vitali Kremez, who has cracked RobbinHood open and studied its workings. “They knew who they were asking to extort.”

More attacks could be coming. After Baltimore officials said May 7 that the city had been hit, the National Capital Region Threat Intelligence Consortium, a government intelligence fusion center in Washington, issued a warning that evening. The organization circulated a bulletin saying it “assesses with moderate confidence that a new ransomware campaign, dubbed RobbinHood Ransomware, is actively targeting government networks within the United States.”

State and local government agencies have increasingly become victims of ransomware attacks, with the number exploding in 2016. Researchers have found that local governments often have poor defenses, and they present hackers with an attractive target.

Baltimore has been hit before: Last year the city’s 911 system was infected with another virus.

“Criminals just saw bigger business and now, governments, as more lucrative,” said Nickolas Savage, a senior agent in the Baltimore FBI office, who declined to comment on the specifics of the Baltimore attack.

Officials in Baltimore have said they won’t pay the ransom. They have said little about the attack, but in a statement Friday, Democratic Mayor Bernard C. “Jack” Young said it could be months until all services are restored.


“I am not able to provide you with an exact timeline on when all systems will be restored,” Young said. “Like any large enterprise, we have thousands of systems and applications.”

Young said his newly appointed deputy chief of staff for operations, Sheryl Goldstein, would oversee the response when she starts work Monday in her $182,000-a-year job.

The mayor’s office did not respond to questions from The Baltimore Sun about the attack or the city’s defenses. In the statement, Young said he was limited in what he could say because the FBI is investigating.

The similarities between what is known about the attack in Baltimore and the one in North Carolina are striking.

A ransom message left on Greenville’s machines demanded the same payment the hackers are asking for in Baltimore: 3 Bitcoins to unlock each affected system, or 13 Bitcoins in exchange for unlocking all the city’s systems. As in Baltimore, the attackers said the cost would increase $10,000 per day after four days.

Kremez, a former cybersecurity analyst at the Manhattan district attorney’s office and former research director at security firm Flashpoint, said the attack’s timing and similarity in the amount demanded — despite Baltimore’s significantly larger size — makes it likely that the same version of RobbinHood infected both cities.


Kremez determined that RobbinHood could not have spread from machine to machine across a network on its own. Rather, the attackers would have needed to obtain access that would make them appear to be legitimate administrators, and then target individual victim computers.

“It was definitely written by experienced coders,” Kremez said.

Baltimore officials have yet to provide an estimate of how many of the city’s computers the malware infected.

By the afternoon of the attack, Baltimore had shut down most of its servers “out of an abundance of precaution,” according to a tweet posted to Young’s account.

Greenville did not pay its hackers, Letchworth said. For at least two weeks, departments relied on “skeletal systems,” filing some reports by pen and paper rather than electronically, he said.

By April 25, the city’s website and email addresses were working. It took another couple of weeks to re-image employees’ PCs, a process that involved reverting to a backup of the computer system, he said.


Letchworth could not provide estimates of the cost of recovery, saying that expenses were still being compiled and some servers were still being rebuilt. The city is insured against cyberattacks, he said, at a $50,000 deductible.

Letchworth said the city’s team is still not sure how the attackers first got into the system. They have been investigating suspicious activity on the network dating back to October, but have not confirmed a link between that and the ransomware.

Kremez said RobbinHood’s infiltration and extortion tactic mimics that of SamSam, the ransomware that infected more than 200 victims, including the city of Atlanta and Columbia-based hospital network MedStar Health.

The FBI and federal prosecutors charged two Iranian hackers with spreading SamSam, saying they collected $6 million in ransom payments and cost their victims $30 million.

An analysis by the cybersecurity firm Recorded Future found that state and local governments were less likely than other sectors to pay in the case of a ransomware attack. Nonetheless, with state and local municipalities, “there is still an almost 1 in 5 chance that an attacker will get paid,” the report’s author, Allan Liksa, wrote.

State and local government ransomware attacks


At a City Hall news conference Wednesday, City Solicitor Andre Davis said he and Chief Information Officer Frank Johnson had reached out to other cities hit by hackers.

“I’ve taken advantage of lessons learned by Atlanta,” Davis said.

Atlanta was hit by SamSam in March 2018, costing the city — which did not pay the $51,000 ransom — an estimated $17 million in software upgrades and new computers, according to a confidential report obtained by The Atlanta Journal-Constitution and WSB-TV.

Like Greenville, Atlanta had insurance to cover cybersecurity incidents. Baltimore’s head of computer security told City Council members last year at a budget hearing that the city needed such a policy, but officials did not obtain one.

A spokesman for Young said the mayor has now directed the city’s finance and law departments to get coverage.

Savage, the FBI agent, said network managers need to educate regular users to be wary of risks, put in safeguards so that when an attacker does break in they can’t move around freely, and have a plan to recover if attacked.


“Potential victims have a responsibility to also harden their networks to make sure they're not making it easy on people who are trying to victimize them,” he said.

Maryland Policy & Politics

Maryland Policy & Politics


Keep up to date with Maryland politics, elections and important decisions made by federal, state and local government officials.

Baltimore officials began warning after the ransomware attack that hit the city’s 911 system last year that the city wasn’t spending enough to protect itself.

At a news conference the day after the new attack was detected, Johnson said that the city’s computer defenses had been reviewed and received “multiple clean bills of health.”

“We have a very very good capability,” Johnson said.

But during a budget presentation in January to the city’s Planning Commission, Johnson described the city’s defenses differently. He said the city was “woefully behind in cybersecurity capabilities, staff needs and infrastructure.”

Johnson described a string of potential weaknesses. The city’s email system was “running on-site on creaky old systems.” A firewall to stop intruders was being upgraded, but officials “still have a couple of years of work left.” Installing software patches — which often include important security upgrades — had to be done one computer at a time, sometimes by “dispatching a technician physically to a user.”


Even the physical network connections linking different parts of city government were at risk because too many relied on a single cable.

“If somebody was digging up one of the streets a couple of blocks from here, there’s a really good chance they could knock City Hall offline with one backhoe swipe,” Johnson said.