For the second time in less than 14 months, the city of Baltimore was hit by a ransomware attack on Tuesday.
The attack did not compromise the city's emergency services, or its police and fire services. But it forced the city to suspend customer support for its Public Works Department, billing for the Parks Department and overdue water bills, and intake of vehicles at an impound lot.
A ransom message that appeared on affected computers demanded the city pay 3 Bitcoins -- roughly $76,000 -- to restore the impacted services. Officials have not said whether they plan to pay.
“As of now, we have no proof that any personal data has left the system,” Baltimore City Council President Brandon Scott said in a statement Tuesday night. “As a measure of caution, the majority of city servers have been shut down."
The incident came at a time of leadership turmoil for Baltimore. Mayor Catherine Pugh resigned last week following a protracted scandal involving a children's book she had self-published. Many of the sales of the book went to companies and organizations that had direct dealings with the city. Pugh was succeeded by Jack Young, who had been serving as the city council president.
Tuesday’s attack appeared to be similar to one last month in the city of Greenville, N.C., where the RobbinHood virus crippled computers. In Baltimore, the virus did not appear to have gained access through spam email, although officials did not specify how it actually spread. As of Wednesday afternoon, the city's email server and portions of its phone systems were still inoperable.
Baltimore was hit by a similar ransomware attack in March 2018 that affected city phone systems, shutting down automated messages on the city's 911 and 311 services. The same month, Atlanta was the victim of an attack that knocked out internet service at Hartsfield-Jackson Airport, the world's busiest air traffic hub.
In the two-year period leading up to those incidents, U.S. local governments and public safety agencies were hit by 184 cyberattacks, according to the cybersecurity firm SecureLore Solutions. The attacks have impacted a range of government functions -- from transit and communications to billing and vital hospital services.
Should Cities Pay Ransom Demands?
It's become an unfortunately familiar scenario in recent years. A city is hit by malware that locks computers with an encrypted code. Attackers demand a ransom in order to remove it. Public officials are faced with a difficult question: To pay or not to pay?
The FBI and leading cybersecurity experts discourage government agencies and private corporations from agreeing to the payment demands.
“Paying a ransom not only emboldens current cybercriminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity,” former FBI Cyber Division Assistant Director James Trainor said in a statement in 2016.
Typically, the ransom demands are relatively modest, compared to city budgets. Attackers know that if the amounts are too high, governments would never pay. The attackers in Atlanta last year demanded $51,000; officials have declined to say whether they paid.
Email phishing scams are the most common way attackers gain access to a network. The emails are often made to look like official correspondence between city employees. But training employees to not open the emails probably won’t help much, says Oren Falkowitz, who spent seven years with the National Security Agency before co-founding Area 1 Security, a private firm.
“Humans are curious, and we are talking about organizations that have hundreds of thousands of people," Falkowitz told Governing last year. "Someone is going to click on a link.”
Information technology experts are largely in agreement that the best way to protect computer networks is to partition those networks. That would contain a computer virus to some portion of the system and prevent its spread across the network. Cities and government agencies should also avoid putting information that does not need to be internet-accessible on computers connected to the internet.