A citywide ransomware attack on the government of Baltimore has locked staff out of nearly 10,000 city computers for the past two weeks, including the health department.
On May 7, government officials discovered a ransomware attack on city computers, encrypting computers and demanding the equivalent of $76,000 in bitcoin to recover the files, according to local news outlet the Baltimore Sun. The city has not paid the ransom and does not intend to do so.
The FBI is investigating the cyberattack.
For the health department, officials can’t access the state network that warns the public when bad batches of illegal drugs cause overdoses. The public works department can’t create new water bills, which may cause Baltimore residents to receive higher than usual bills when the systems are restored. Early on, real estate functions were hindered, including the processing of property sales.
The Baltimore Mayor Bernard Young told the Wall Street Journal that full recovery may still take months for some systems. However, officials have created workarounds for some city functions, like real estate sales. While officials said it was a slow start, paperwork is now being processed at a near-normal pace.
Staff have been divided into two teams: one focused on forensics and the other on recovery, according to Baltimore’s Deputy Chief of Staff Sheryl Goldstein. The forensics team is working on finding the malware code used to encrypt system files.
Meanwhile, the recovery team is slowly working to bring locked down systems back online, including email and databases.
“Every machine that was potentially impacted and every server that was potentially impacted has to be assessed,” Goldstein said. “The first step is to create a safe environment in which you can slowly start bringing things back online, making sure there's nothing in there that's problematic.”
“We’re getting back to a place where operations while different are at normal levels of service,” she added. “It is preferable for us to be safe and do it right than to do it fast.”
This is the second major cyberattack for Baltimore in the last year. In March 2018, Baltimore’s 911 system was infected with ransomware, forcing dispatchers to phone in addresses and other details to dispatchers.
Government systems and healthcare organizations are prime targets for hackers given the need for data access, which makes victims more likely to pay the ransom. Last year, SamSam ransomware hackers launched at least eight cyberattacks on health and government organizations, including Indiana-based Hancock Health and the city of Atlanta.
The latest Baltimore ransomware attack bears hallmarks to the 2018 ransomware attack on Atlanta, where it took the city at least six months to recover.