The nightmare of Baltimore's ransomwares could last several more weeks, with far-reaching consequences

It has been almost two weeks since the Baltimore city networks were closed as a result of a ransomware attack, and the impact of this attack is not yet in sight. It may take weeks before city services return to normal: manual solutions are being put in place to manage some services, but the city's water bill and other systems Payment remains offline, as are most e-mails from the city and many others. government telephone systems.

The ransomware attack occurred in full transition at City Hall. Mayor Bernard C. "Jack" Young officially took office a few days before the attack, after the resignation of former mayor Catherine Pugh, who is currently the subject of an investigation for corruption. And some of the mayor's critical staff positions have remained vacant – Sheryl Goldstein, Deputy Chief of Staff for Operations, is starting to work today.

To top it off, unlike the city of Atlanta, which suffered a Samsam ransomware attack in March 2018, Baltimore has no insurance to cover the cost of a cyberattack. Thus, the cost of cleaning the RobbinHood ransomware, which will far exceed the US $ 70,000 requested by ransomware operators, will be fully borne by the citizens of Baltimore.

It's not like the city has not been warned. The Baltimore Information Security Officer warned of the need for such a policy during last year's budget hearings. But the final budget did not include funding for this policy, nor to fund increased security training for city employees, nor for other strategic investments that were part of the Mayor's strategic plan for the city. the information technology infrastructure of the city.

It may take a little while

In a May 17 press statement, Mayor Young said:

I am not able to provide you with an exact timeline of when all systems will be restored. Like any big business, we have thousands of systems and applications. Our goal is to restore essential services online so that security is one of our top priorities throughout this process. You may find that partial services start to recover in a few weeks, while some of our most complex systems may take months in the recovery process … we hired industry cybersecurity experts, who work with us every day, 24 hours a day, 7 days a week.

Some restoration efforts also require rebuilding some systems to ensure that when we restore business functions, we do so in a secure manner.

City officials provided little detail on the scale of the attack, as the city is cooperating with an FBI investigation. But it seems that the ransomware was triggered on some systems in the early hours of May 7, when the e-mail service was suddenly interrupted. The city's reaction to the attack has thrown a mess in many municipal services or has completely shut them down.

The attack was reported for the first time by the Baltimore Department of Public Works, when its official Twitter account announced that access to its e-mail was cut off, and that phones and faxes were not available. other systems had been affected shortly thereafter. As it became clear what was happening, the city's information technology office team shut down almost all the city's non-emergency systems to prevent the spread of the city's information. ;attack. The degree of propagation of ransomware on the network is unclear, but the city's e-mail system and IP phones were among the affected systems.

City officials pointed out that the emergency systems, such as the police and fire networks and the 911 system of the city, were not affected. The 911 system suffered a ransomware attack last year when some firewall settings were disabled during maintenance. But the Baltimore Police Department was dependent on the city's mail servers and surveillance cameras around the city were affected by the shutdown of the network. Almost all other departments in the city have also discontinued their services.

Mayor, Young, said that a paper workaround to handle the closures would be in place from now until today. Water bills and other city charges (including parking tickets and citations from the city's radars and the red light camera network) can not be paid. And many city workers had to use their own laptops without connecting to the city's networks, as well as their personal e-mail addresses and mobile phones, to be able to work. Other tasks are completely unused or have returned to paper processes that the city was trying to eliminate.

A thankless job

The Mayor's Office of Information Technology has struggled to recover over the last two years after the dismissal of several licensed information managers. Four information managers were fired or forced to resign over a five-year period. Frank Johnson, who now holds the CIO titles and the city's director of digital technologies, was hired in November 2017 after leaving his position as regional vice president of Intel sales. Johnson spearheaded the development of a digital city strategy that aimed to align Baltimore IT spending more closely with cities of similar size and transform IT practices. According to a 2018 strategy paper, Baltimore spends about half of what other cities spend on computers, and the Office of Information Technology controls only about 1% of the total budget; the bulk of IT spending is part of the operating budgets of other departments.

Until the ransomware attack, the city messaging was almost entirely hosted internally and was running Windows Server 2012 in the city's data center. Only the legal department of the city had moved to a cloud-based email platform. At present, the city's mail gateway has been transferred to a Microsoft hosted email service, but it is not clear whether all messages will migrate to the cloud or even if it is possible. Mayor Young said the city had data backups, but the extent of their implementation was unclear. And Johnson would not say if a disaster recovery plan was in place to deal with a ransomware attack.

Some Baltimore systems are hosted elsewhere, including the city's main website, hosted on Amazon Web Services and operated by a contractor. But the city almost lost this website last week, and not because of ransomware: the site's operating contract had expired and the city was late in paying.

Identifying when and how malware has entered the city's network is an important task. The city has a huge attack surface, with 113 subdomains – of which about a quarter is hosted internally – and at least 256 public IP addresses (of which only eight are currently online, thanks to the network shutdown).

"We have engaged leading industry cyber security experts who work with us 24 hours a day, 7 days a week," said Young. "As part of our containment strategy, we have deployed enhanced monitoring tools across our network to increase our visibility – as you can imagine, it takes time with around 7,000 users . "