Systems at a number of Baltimore city government departments were taken offline on May 7 by a ransomware attack. As of 9:00 am today, email and other services are offline. Police, fire, and emergency response systems have not been affected by the attack, but nearly every other department of city government has been affected in some way.
Calls to the city’s Office of Information Technology were answered by a recording saying, “We are aware that systems are currently down. We are working to resolve the issue as quickly as possible. “
#BCRPALERT: BCRP is experiencing networking and email outreach. We apologize for the delay in all communications and are working to resolve the issue. Please note our online payment, permit, program registration and service requirements are currently being processed. pic.twitter.com/vzXYnEqi7M
— Baltimore Rec & Parks (@RecNParks) May 7, 2019
Lester Davis, a spokesman for the Baltimore mayor’s office, told the Baltimore Sun’s Ian Duncan that the attack was similar to one that struck Greenville, North Carolina, in April.
Baltimore Chief Information Officer Frank Johnson confirmed at a press conference today that the malware is “very aggressive.” RobbinHood ransomware” and the FBI has identified it as a “legitimate new variant” of the malware. This new variant of RobbinHood appeared last month.
Security researcher Vitali Kremez, who recently re-engineered a RobbinHood test, told Ars that the malware appears to target only files on a single system and does not spread through network shares. “It is believed that it spreads directly to individual devices through psexec and/or the local manager makes a deal,” said Kremez. “The logic behind it is that the ransomware itself does not have any network spreading capabilities and is meant to be deployed for each device individually.”
That would mean an attacker would need to have administrative-level access to a system on the network “because of the way ransomware interacts with the C:\Windows\Temp directory,” Kremez explained.
In addition to requiring execution on each targeted machine, RobbinHood also requires that a public RSA key already exists on the targeted computer to begin encrypting the files. “That means that the attacker probably moved in several steps, to gain access to the network in question, moving externally to obtain administrative privileges for the domain administrator or through psexec, upload and save the RSA key of all people and ransomware on each device and then run. it,” Kremez noted.
Before starting encryption, the RobbinHood malware shuts down all connections to shared network protocols with a net use */OFF/Y command and then run through Windows 181 shutdown commands—including the shutdown of various malware protection tools, backup agents, and email, database, and Internet Information Server (IIS) management services. This string of commands—which begins with an attempt to shut down Kaspersky’s AVP—will create a lot of noise on any control system monitoring Windows system event logs.
Just over a year ago, Baltimore’s 911 system was attacked by ransomware when maintenance on the city’s network briefly left gaps in a firewall. The firewall change appeared to be four hours old before the attackers exploited it—likely through automated scanning.
Johnson emphasized that the city’s information security provisions have been reviewed and are up to date. “We’ve been inspected many times since I’ve been here, and we’ve received many clean bills of health,” he said. “We have very good potential. Unfortunately, it’s a race between bad actors and the cyber security industry.”
In his press conference, Baltimore’s new mayor, Bernard “Jack” Young, said he wasn’t sure how long the city’s plans would last. “We have a backup plan with the IT department,” he said, “but we can’t just go and restore it because we don’t know how far the virus has gone. So I don’t want people to think that Baltimore doesn’t have a backup. .”
In the meantime, Young said, city officials will have to switch to doing things by hand. If city employees are out of work for a long time, Young said they can be asked to “help clean up the city.”