Baltimore seeks answers, help for crippling cyberattack linked to NSA

By Daniel Uria

May 28 (UPI) -- Baltimore city officials on Tuesday are looking for help -- and answers -- to explain a cyberattack this month that still is affecting some government systems.

Baltimore was one of two cities attacked by a new type of ransomware, dubbed "RobbinHood." One targeted Greenville, N.C., on April 10 and then Baltimore on May 7, and they locked both local governments out of their computer servers for ransom.


Baltimore officials are asking Gov. Larry Hogan to declare an emergency.

"I sent a letter to Gov. Hogan, asking him to officially ask and declare for federal disaster relief funds," City Council President Brandon Scott said.

Saturday, The New York Times reported a key component of the ransomware was developed by the National Security Agency, adding a new dimension to the attacks. The tool, called EternalBlue, may have been leaked in 2017, the Times report said.


In both cases, hackers left a ransom message demanding 3 Bitcoins, or $17,000, to unlock each affected system, or 13 Bitcoins, or $75,000, to unlock all of the systems, with the price rising $10,000 every day after four days, the Baltimore Sun reported. The Times reported the amount at $100,000.

Neither city elected to the pay the ransom, and instead opted to work to contain the virus and restore the systems themselves. The FBI has also launched criminal investigations into both incidents.

Immediately following the attack, Baltimore Mayor Bernard Young announced there was no evidence that personal data had left the system, but the city shut down a majority of its servers "out of an abundance of precaution."

Baltimore email, payment and real estate systems remain offline, with Young estimating it could take weeks or months to restore them, depending on their complexity.

"As part of our containment strategy, we deployed enhanced monitoring tools throughout our network to gain additional visibility. As you can imagine, with approximately 7,000 users, this takes time," said Young. "Some of the restoration efforts also require that we rebuild certain systems to make sure that when we restore business functions, we are doing so in a secure manner."


A week ago, the city instituted a workaround for the real estate systems involving paper certificates that allowed 42 applications for property deeds to be processed. One workaround solution, which turned to Google Gmail for emails, failed when the city attempted to create too many new accounts at once. Google later helped restore access to the accounts.

Greenville city spokesman Brock Letchworth told UPI in an emailed statement nearly all of the city's 800 computers were offline for several days and were repaired about two weeks ago, with assistance from more than 20 professionals.

"Despite the lack of technology for a bit, most city services were still provided," Letchworth said. "After all, it's people who run cities, not computers."

Letchworth added he was not immediately able to provide an estimate for the cost of the attack.

The National Capitol Region Threat Intelligence Consortium Cyber Center issued a bulletin assessing with "moderate confidence" that the ransomware campaign is actively targeting U.S. government networks. It recommended all network administrators implement a "robust and comprehensive" data backup process and conduct regular training and awareness exercises with all employees to prepare for a possible attack.


Young said he directed his new Deputy Chief of Staff for Operations Sheryl Goldstein to oversee the response, measuring the impact and informing decisions going forward.

Letchworth said Greenville plans to upgrade both endpoint and server security, provide additional education and training for employees and change some internal computer procedures in response to the attack.

Latest Headlines