“Done, Enjoy buddy :)))” What would you think if you got that message? Maybe it’s a friend or coworker who just did you a favor? Not this time. In this case, it’s more like a sinister warning from a Stephen King novel. This is the menacing message that appears in the command line of computers affected by the RobbinHood ransomware attack, which targeted Baltimore, MD in May 2019. The result: 10,000 PCs and servers frozen, 200 real estate transactions stalled, public health systems compromised, and city utility billing systems malfunctioning. If you’re thanking the heroic Robin Hood for saving you from bills, think again, it will probably result in unusually high bills once the system is running again.
Evidence of the attack appeared on May 7th when systems started going down and ransom notes were found asking for payment in bitcoin. Like any extortion perpetrator, the attacker offered a “deal,” the city could pay 3 bitcoin to fix an individual system, or 13 bitcoin to fix everything. At the time this was worth about $75,000 but has now doubled in value to nearly $150,000. The attacker also threatened to raise the price if payment was not made on time. The RobbinHood malware, written in the Go programming language, relies on administrator access to individual computers. First, it disconnects network access, then shuts down scores of Windows processes that protect the PC. Additionally, it destroys certain types of backups. All of this is groundwork for its critical next step. After prepping the victim device, RobbinHood begins encrypting files and folders on the device, using both RSA and AES encryption. First, the file is encrypted with AES. Then, the AES key is encrypted with RSA. Of course, it skips over key folders, such as Program Files, Temp, and boot, in order to keep the computer running. This gives the impression that the computer could be restored to normal working order if the ransom is paid. During this process some log files are created, as well as the ransom notes, ominously named Decrypt_Files, Decryption_ReadMe, Help_Help_Help, and Help_Important. Once the devastation has concluded, the command line will return the signature denouement: “Done, Enjoy Buddy :)))”.
Unfortunately, the City of Baltimore was unprepared for this attack in a variety of ways. There are conflicting reports about what exactly led to the compromised IT, and officials have largely declined to share specifics, but it’s clear that the city lacked the support to fully implement strategies that could have prevented or mitigated the attack. Initially, some reports indicated that a well-known exploit for Windows machines may have been involved. This malware, known was EternalBlue, led to a string of major cyberattacks in years prior after companies and governments failed to patch their systems. EternalBlue was initially created by NSA, which is headquartered mere miles from Baltimore. Needless to say, it looked pretty embarrassing for both parties. However, upon further investigation, many experts, NSA and government officials are all reporting that EternalBlue did not play a part in the RobbinHood attack on Baltimore. The conflicting reports haven’t been reconciled, but there is clearly work for the city to do in order to prevent future attacks.
For example, a risk management framework and requirements-based security should have been in place and could have aided in prevention or reducing the negative effects of the attack. Lack of funds, staff, and strategy plagues municipalities like Baltimore and this contributes them being targets by hackers. More than 20 local governments have been subject to malware attacks already in 2019, and many more over the last few years. In some cases, those ransoms have been paid, making this threat lucrative for cyber criminals and costly for local governments. In the end, the attack is estimated to cost the city over $18 million, almost half of its entire IT budget for this fiscal year.
The CIO for Baltimore City, Frank Johnson, took office in late 2017, and walked into a department that was suffering. Just a few months later, there was already a major cyberattack, when the emergency 911 system went down in March 2018. Johnson has explained that after that event, and following an attack in Atlanta, he improved security. Clearly it wasn’t enough. The fact that the IT budget is growing from $24 million in 2017 to $40 million in 2019, along with a 28-person growth in the staff indicates that more could have been done in advance of this attack. Now, following RobbinHood, the department is finally overhauling their systems.
But was the cost worth it? Compared to $18.2 million for the overhaul, $75,000 seems like a pretty reasonable price to get computer systems up and running again. Additionally, if the city had paid the ransom, they could have saved money by keeping the systems online and only spent money on the new systems. Certainly the people who were trying to close contracts on houses would have preferred that the ransom be paid. The hundreds of houses that were affected in this process alone probably would have made the expenditure a wise one. But the answer isn’t so simple. If the mayor, city council, or the CIO had decided to pay, how could they be sure that the hacker would live up to the agreement? What if they walked away with the money? Additionally, at a larger scale, what message does this send to other hackers who are considering attacking Baltimore or other cities? The broader risks are even harder to contemplate. The impact goes beyond just the city limits, the FBI, DHS, and Maryland Senator Chris van Hollen all got involved in one way or another. In the short term, it may seem more cost effective to pay the tens of thousands of dollars. However, in the long term, the damage could be much worse.
A Better Way
Presumably, the IT department had an agenda for risk management, but the implementation did not go far enough due to limited resources. If they had used the Risk Management Framework (RMF), they would have completed the six steps. First, they would have categorized the goals of the major systems in the city, and identified and prioritized key security risks like ransomware attacks. Second, they would have already chosen the security controls they wanted to implement, and this probably would have been done even before the new CIO took his place. Where the breakdown probably occurred was the third step, implementing the security controls, and each step thereafter. If they weren’t implemented, then their assessment, the 4th step, would have shown that they were not up to par with what was necessary. This assessment reflects the sentiments of Johnson prior to the RobbinHood attack, who explained the poor state of their security apparatus. The 5th and sixth steps then would never have been completed for the chosen approach, authorizing the information system and monitoring the security controls. As a result, the 6th step only consisted of monitoring the existing systems, not the ones that were recommended, and thus revealed that they had major shortcomings once the attack occurred.
What also could have helped promote risk mitigation and prevention would have been requirements-based security. The City of Baltimore should have identified the requirement of maintaining services for their constituents, and defined a security plan that helped ensure that those services stay in action. Instead, they did not follow this process and therefore did not identify potential risks, prioritize them, and address them.
As far as ransomware goes specifically, Check Point, a leading cybersecurity firm, recommends 5 things: backup data and files, educate employees to recognize potential threats, limit access to those that need it, keep signature-based protections updated, and implement multi-layered security including threat prevention. While we don’t know exactly how the city’s computer systems were initially compromised, it’s safe to say that a course of action like the one defined above could have helped prevent or mitigate the impact of the attack. First, backing up the data can help get things up and running quickly, even if some data is lost. According to Ars Technica, Mayor Young explained that there were backups, but they may also have been compromised, so in this case that didn’t help. Informing and training employees to recognize, avoid, and report threats may be one of the lowest cost and highest yield efforts in the prevention of ransomware attacks. If this particular strike was the result of a Trojan Horse being downloaded then it almost certainly could have been prevented by providing education across the city’s departments. Today’s attacks don’t just rely on sending compromised emails, they use more advanced phishing and spear phishing to lure in their victims with seemingly benign websites and content until the malware is downloaded. Limiting access is one of the more common practices, so this may be in place, but the scale of the attack may indicate that permissions were not properly set up. This will need to be reviewed internally to make sure it’s organized properly. Up-to-date anti-virus protection may have been a key factor that failed in this attack. It has been reported, and previously mentioned here, that the staff was limited, meaning machines may not have been safeguarded. Additionally, antiquated systems may also have been at fault and easily compromised. Providing the proper protections is presumably a major part of the proposed overhaul going forward. The last step, multi-layered security and advanced threat prevention, will also hopefully be implemented. Check Point, which sells many of these tools, recommends two components: threat extraction and threat emulation. Threat extraction means the ability to clean malware from your system. Threat emulation means testing systems for potential threats before a cyberattack occurs. These advanced tools can provide the extra layer of security that Baltimore may need, although it’s unclear if this will be included in their plans.
Another tool that could have helped with the city’s response, and should definitely part of the plan going forward, is insurance. There are “first-party” cyber-insurance plans that can help offset the costs of a future attack. This type of insurance can provide coverage for loss or damage to digital assets, business interruption, extortion, and theft. In addition, there are “third-party” policies that can cover computer forensic investigation, customer notification & PR expenses, loss of third-party data, and even contractual indemnification. Prior to the RobbinHood attack, risk assessment should have indicated that they were at greater risk and insurance plans would have been prudent. This could have saved the city time and money. Looking ahead, they may be at reduced risk but should still determine the amount of coverage necessary based on the probability and impact of another attack.
The ransomware threat to municipalities is a modern reality of government. Threat prevention and mitigation will be the most cost effective way to deal with it. In the case of Baltimore’s attack by the RobbinHood malware, improper preparation and a lack of resources created a, to-date, ongoing threat that is ending up costing the city millions of dollars. Ransomware attacks are not new, and there are predetermined approaches that the City of Baltimore should have put into action. Instead, they put their constituents at risk and became enveloped in a public relations crisis that was not only preventable, but could have saved taxpayer money, if they had followed the recommended course of action. Baltimore, luckily, had the budget to keep them from giving in to the attacker, and to finally overhaul their systems to help avert future crises like this one. Other cities may not be so lucky, and they may need to focus on assigning resources in advance instead of waiting until after an attack occurs. Municipalities like Baltimore need to follow information security best practices like the Risk Management Framework, requirements-based security, and acquiring cyber insurance in order to ensure that they are protected in the future. Baltimore needs to make sure the money they spend resolves the existing issues to prevent another attack from occurring.