Lessons from Baltimore

It’s been weeks since Baltimore's city government has been able to send or receive email or electronically process real estate sales, water billing and other services.  A ransomware attack that struck on May 7 continues to cripple city government computers as Mayor Bernard “Jack” Young stands by his decision not to pay the attackers’ ransom request of 13 bitcoin, or about $100,000. The incident has left experts and the public alike wondering how it happened -- and how it could have been prevented.

A recent New York Times article claims that a key component of the RobbinHood malware used in the recent Baltimore ransomware attack was EternalBlue, a hacking tool initially developed by the National Security Agency and later leaked to the public by the mysterious Shadow Brokers group in 2016. It was also used in the WannaCry and NotPetya attacks in 2017.

NSA warned Microsoft about the vulnerability the tool exploited when it was leaked, and the company quickly issued a patch, but Baltimore had updated its systems. When bad actors scan the internet for vulnerable systems to hold for ransom, they find easy targets in underfunded enterprises running a hodge-podge of applications, some of which have aged out of support.  

On May 29, Young released a statement saying the city was "in the process of restoring email and computer access to city employees."  Public safety agencies have priority, but services at other agencies are also being restored. According to the statement, a successful pilot solution is being rolled out citywide.

So far the city has spent $4.6 million, and the total cost may exceed $18 million, according to a tweet from Councilman Isaac Schleifer, who said it was the cost of inaction.

"There should have been more safeguards in place, and now we find ourselves in a very costly predicament," Schleifer told WBALTV-11.

One way to mitigate a ransomware attack is with reliable backup systems, said Chris Duvall, senior director at The Chertoff Group. Such systems need to be tested and separated from networks to prevent access, but not all assets need to be backed up.

Backups help, but they aren’t a silver bullet, said Brian Vecci, technical evangelist at software firm Varonis Systems.

“Almost every organization that gets hit with ransomware has backups," Vecci said, but attackers can compromise those safeguards too.  "If you’re really, really smart, you wait until the backups are overwritten or you encrypt the backups, too,” he said. “No one is going to solve the ransomware problem by having better backups.”

The better approach is two-pronged, he said. First, monitor how file data is used and then make sure that users can access only what they need. On average, 20% of an organization's data is accessible to every employee, according to Varonis, which means that a Baltimore city employee clicking on an infected email could instantly lock down 20 percent of data, Vecci said.

“If the only thing that governments did was start monitoring file usage, they would be much, much better equipped to prevent ransomware,” he said.

Layered defense is also necessary to stave off ransomware attacks, Duvall added. That includes regularly training employees on cyber hygiene -- including how to spot suspicious messages and attachments -- and managing patches, configuration and workers’ identity credentials.

Although ransomware affects both the public and private sectors, the public sector is more vulnerable for several reasons. First, it is decentralized; various agencies in one city or state often have their own chief information security officers, policies and IT systems.

“There are ways bad actors can target a particular sector of a government, and if they are not as successful there, they can target a different one," Duvall said. "If they are successful there, they can piggyback on that one organization to another.”

Additionally, the public sector generally lacks the funding for IT that the private sector has. Often, officials must choose between buying, say, another fire engine or beefing up cybersecurity. They need to do a cost-benefit analysis of ensuring that protections are in place vs. providing services, he said.

The decentralization and lack of protections also make the public sector more attractive to attackers.

“If you’re an attacker, why go after the big bank that has every resource in the world to detect your attacks, to prevent it from happening and to correct it when it does?” Vecci said. “Go after the city of Baltimore, whose IT systems you know are probably five years behind everybody, they’re totally understaffed [and] the staff that they have are probably underpaid.”

The attack on Baltimore -- which used RobbinHood, a program that prevents access to server data without a digital key -- comes 30 years after the first ransomware attack and as such attacks gain steam. One reason for the uptick is that data is more valuable and there's more of it.

“Think about this way: Many organizations 30 years ago had about as much data as you have on your laptop right now,” Vecci said. “These days they might have 1,000 times as much.”

What’s more, attackers don’t need technical skills to launch their campaigns. Using automatic scanning and phishing platforms, they can create campaigns readily, Duvall added. That also facilitates launching multiple attacks because “if even 1% works, if it’s a large enough distribution, then you can get some pretty serious payout,” Duvall said.

And that payout is why hackers turn to ransomware attacks. “They’re profitable. It’s as simple as that,” Vecci said. And they may be getting more profitable, with the average ransom increasing by 89% to $12,762 between the last quarter of 2018 and the first quarter of 2019, according to Coveware’s Q1 Ransomware Marketplace report.

As Baltimore’s Young is seeing, the decision to pay or not to pay requires a risk analysis. Duvall said there are downsides to paying. For one, “you’re validating the approach,” he said. “Are you supporting some nefarious group?” And even if the attackers provide the keys to decrypt the data they encrypted, the data may have been corrupted.

On the other hand, refusing to pay also means refusing to get access back.

The number of ransomware attacks is not expected to slow down. In 2016, Recorded Future found 46 ransomware attacks on state and local governments, while the first four months of 2019 saw 21 reported attacks.

“It’s an easy form of crime, and you’re seeing an explosion both in terms of the availability of tools and need to be less technically savvy,” Duvall said. “With the potential payouts and the ease of use, we think you’re only going to continue to see more of it.”