The city of Baltimore is still dealing with the aftermath of the ransomware attack that took place on May 7. Police, fire, and emergency services were not affected by the malware, but nearly all other services were either disrupted or taken offline to prevent further damage. Restoring the affected networks has proven to be a challenging task, and two weeks after the breach, many of the systems remain unavailable. In fact, Baltimore's new mayor Bernard "Jack" Young made a statement on May 17 saying that it may take weeks for partial restoration of the city's online functions and months for some of the more intricate systems. The statement also revealed that leading cybersecurity experts have been engaged and are working with the city officials.
In the meantime, both residents and city workers are scrambling to find workarounds while water bills and other city charges such as parking tickets cannot be processed online. All real estate purchases were also put on hold as a result of the network issues. Late water bill fees for City and County customers were subsequently suspended while a manual workaround for real estate transactions was put in place on May 20.
This is not the first time Baltimore is a victim of a ransomware attack. In 2018, the city's 911 system was taken down after attackers exploited a change to the firewall that was caused by a maintenance of the communications network.
Files were encrypted with RobbinHood Ransomware
Baltimore Chief Information Officer Frank Johnson has confirmed disruptions to the systems were caused by a new variant of the RobbinHood Ransomware. Few details were available on how this particular ransomware operates before the security researcher Vitaly Kremez managed to reverse engineer a RobbingHood sample. According to his findings, the ransomware doesn’t have the ability to spread itself through the infiltrated networks. On the contrary, RobbinHood disconnects all network shares on the computer system through the command "cmd.exe /c net use * /DELETE /Y," which led Kremez to the conclusion that the ransomware was pushed to each infected computer individually most likely through a domain controller or a framework such as PsExec.
Also, when RobbinHood Ransomware is initiated, it attempts to close down 181 Windows processes that could prevent the encryption of the targeted file types. These include databases, mail servers, antivirus programs, backup agents, and other software that could disrupt the operations of the malware. During the encryption process, several different files containing a ransom note are dropped on the machine. The criminals demand payment of 3 Bitcoins for each infected computer or 13 Bitcoins, worth around $100,000, for the decryption of every affected system. Baltimore officials have stated that they will not be making any payments to the criminals.