The city of Baltimore is being held hostage by ransomware

The US city of Baltimore has been partially paralyzed since 7 May, when a ransomware attack seized parts of the government’s computer systems.

As soon as the city discovered that it had been attacked, it informed the FBI and took its systems offline in an effort to keep the infection from spreading.

But not before the attack took down voicemail, email, a parking fines database, and a system used to pay water bills, property taxes and vehicle citations. Real estate transactions were also shut down.

It was lousy timing, given that this is one of the real estate industry’s busiest times of the year. The Baltimore Sun reported that hundreds of property sales could have been affected: A real estate agent with access to industry data told the newspaper that at least 1,500 sales were pending in Baltimore.

But a sliver of good news came on Monday, when Mayor Bernard Young’s office announced that the city had developed a manual workaround that would allow real estate transactions to resume during the outage.

On Friday, the mayor’s office had said that the city is “well into the restorative process.” The work includes rebuilding some systems in a way that will ensure that when business functions are restored, they’ll be functioning securely.

According to Fox News, a recent analysis of the city’s cybersecurity defenses found that the network was “out of date in terms of security, staffing, and infrastructure to prevent attacks.”

Unlike both Greenville and Atlanta – which was hit by a SamSam attack last year – Baltimore doesn’t have an insurance policy to cover cybersecurity incidents. Baltimore’s head of computer security reportedly told City Council members last year at a budget hearing that the city needed one, but it didn’t happen.

Expect that to change: a spokesman for Young told the Baltimore Sun that the mayor has now directed the city’s finance and law departments to get coverage.

A long mop-up

In Friday’s update, Mayor Young’s office said that it could take months to restore all services. From the media release:

I am not able to provide you with an exact timeline on when all systems will be restored. Like any large enterprise, we have thousands of systems and applications.

The city has established a web-based incident command, shifted operations into manual mode and established other workarounds to keep delivering services.

The ransom: 13 Bitcoins for all you can eat

Baltimore has a choice: it can spend months getting its technology back online, or it can give in to the attackers’ demands. 13 Bitcoins – worth about US $100,000 – is now standing between Baltimore and what would purportedly be a full restore of its systems. Mayor Young told local reporters on Monday that the city might pay up at some point, but at this point, that’s a negative:

Right now, I say no.

But in order to move the city forward, I might think about it.

Ransomware galore

In recent months, we’ve covered several severe attacks, including one in which the malware author behind a new type of ransomware called MegaCortex geeked out and distracted victims with Matrix film references.

We saw another attack at the beginning of the year, against a slew of US newspapers, that delayed their publication. And then in February, a targeted attack against a hospital involved two GandCrab ransomware attacks.

What to do?

Defending against a determined, targeted attack demands defense in depth, and, as in many things, prevention is better than cure. That starts with ensuring that access to RDP (Remote Desktop Protocol) is secure and finishes with regular, comprehensive, off-site backups, with much else in between.

To read more about those things and the preventive steps you can take to protect yourself against targeted ransomware of all stripes, read our article on how to defend against SamSam ransomware.

Fortunately, the same advice that we gave to help to protect from SamSam will also help against ransomware – and cybercrime – in general, so please revisit it now.

We also urge you to read the SophosLabs 2019 Threat Report, in which Sophos researchers analyze the state of play in cybercrime today, including a section on ransomware.

Finally, visit to read more about anti-ransomware technologies, including Sophos Intercept X.