On May 7th, the city of Baltimore was hit with an aggressive ransomware attack, infecting somewhere around 10,000 city computers with a file-locking variant called RobbinHood.
Hackers demanded a ransom of 13 bitcoins, worth about $100,000 today, telling officials that the ransom would go up over time if they refused to pay up.
The city refused to pay up, and for three weeks, employees were unable to access emails or process payments, though emergency services were still operational during the outage.
Baltimore Mayor, Bernard “Jack” Young estimated that the attack is likely to cost the city $10 million, plus $8 million lost during the time government agencies were unable to process payments.
What is RobbinHood and How Does it Work?
The hackers used ransomware called RobbinHood, an extremely powerful and malicious program that makes it impossible to access server data without a digital key.
Unlike a lot of the ransomware out there, RobbinHood doesn’t necessarily get into computers through spam.
Instead, attackers take advantage of remote desktop protocols (RDP) and other Trojans that allow them to access the system. The malware encrypts the victim’s hard drive with the RSA+AES cryptographical combination.
Then, hackers send a note telling the victim to connect via Onion Tor. From there, hackers send the ransom note that lays out their demands.
Here’s a look at the ransom note from RobbinHood hackers:
The FBI recommends not paying the ransom, as trusting these anonymous hackers may only result in losing your money and your data if they decide to ultimately not send you a decryption key.
Additionally, paying can set a precedent, encouraging hackers to attack other cities and organizations.
As it stands, the source of the attack remains unclear. Initially, there was speculation that the Baltimore attack was powered by NSA hacking tool, Eternal Blue. However, later analysis suggests that even though Eternal Blue could have been used to spread the Robbinhood infection, this version of the malware contained no traces of it.
City Governments Are Especially Vulnerable
Baltimore’s attack wasn’t an anomaly. Last year, the city of Atlanta experienced a similar ransom attack—which also halted the local government’s digital services and cost the city $17 million to recover.
This year, there has been a rash of attacks on city governments. Here are a few recent examples that come to mind:
- April 10th—Greenville, NC was hit by RobbinHood ransomware and had to disconnect nearly all government computers from the internet.
- April 13th—Imperial County, CA was hit by another ransomware, Ryuk, which typically targets enterprise organizations, forcing the website to go dark, systems to malfunction, and shutting down some departments’ phone lines.
- April 18th—Augusta, ME was attacked by an unspecified malware attack that crippled the city’s computer network.
- April 21st—Cleveland’s Hopkins International Airport was struck by an unspecified malware that caused flight and baggage information screens to go dark for five days.
While you can say that the Atlanta attack and Greenville, Augusta, Cleveland, and others should have been a wake-up call, hackers need to find just one weak link to break into the system.
Those weak links are often preventable vulnerabilities, such as using old hardware or software, as well as failing to patch the system. The Baltimore cyber attack is but one entry out of about 20 that have happened in recent months.
Ransomware’s impact can be devastating for city governments, who deal with tight budgets, older systems, and often aren’t as up-to-date on the latest technology as their counterparts in the private sector. Still, the long list of attacks should serve as a warning sign to private companies as well.
These types of attacks don’t just target city governments: any organization deemed likely to pay the ransom is fair game. Robbinhood looks a lot like the SamSam attack that hit several organizations last year, though their primary target was hospitals.
Here, we’ll look at some ways organizations can protect themselves against the mounting threat of malware moving forward.
Perform Frequent Backups
The best way to get ahead of ransomware attacks is by backing up your data daily. You’ll want to back up your data both locally and in the cloud.
This allows you to keep your information in a safe location that hackers won’t be able to access quickly. What’s more, you can then wipe your systems and start repairing using your backup files after the attack.
Backing up in the cloud gives you another layer of protection against ransomware infections and allows you to run multiple backups in case the last one was overwritten with ransomware files.
Organizations who don’t back up their systems risk losing years’ worth of data, which is how hackers justify high ransoms in the first place.
Patch it Up
Patch and update your software, on an ongoing basis. High profile attacks like the Equifax data breach happened because of a missed update. Ransomware operates by using exploit kits to gain access to a network, meaning they depend on users running old, outdated software to gain entry.
And speaking of old technology, if you’re using software that no longer releases updates, it’s time to switch to a provider that is still active.
Network administrators should also limit permissions to prevent malware from installing on systems without using a password.
Whitelisting software applications makes it easy to prevent attacks, as computers won’t be allowed to install anything that hasn’t been pre-approved.
Administrators can set this up by scanning computer systems to take stock of the legitimate applications running on the device, then configuring it to prevent unauthorized executable files from running or installing.
Another tactic is segmenting access to data across multiple servers. This way, organizations with thousands of employees don’t risk losing access to everything should one server get hit by malware. Instead, they can break employees into smaller groups, each with their own server. This way, if one gets locked, organizations can take swift action.
Things to Do if You Experience a Malware Attack
While we’re talking primarily about ransomware attacks on municipalities, this wave of attacks really drives home an important point: hospitals, enterprise organizations, higher education, and other similar institutions need to do more to protect their data.
If you do experience a ransomware attack, administrators should immediately disconnect the infected systems from the internet and disable Bluetooth and WiFi on all machines to prevent the malware from spreading to other devices.
From there, the organization should try to diagnose the strain. If it’s a known variant, you may be able to work with an IT company to unlock the files and get around the ransom.
Ransomware attacks prey on finding the weakest link within your network, be it a missed patch update or a click on the wrong link. While it’s important to educate employees on how to stay safe online, it’s not realistic to place the responsibility squarely on staff.
Ransomware is more than a violation where victims change passwords and move on. The kind of attack seen in the cases of Baltimore, Atlanta, and the 20+ recent city governments prove that ransomware can bring business operations to a standstill.
While cities have been the latest high profile ransomware targets, last year’s SamSam attacks primarily struck healthcare organizations, and really, any organization could be next. Don’t wait until disaster strikes.
Contact our team of security experts and we’ll help you prepare for attacks on all fronts, ransomware or otherwise.