Baltimore City Government

Baltimore City Government Ransomware Attack: Municipalities Must Move Beyond Protection at the Perimeter

May 22, 2019

Last week The Baltimore Sun reported that Baltimore City Government computers were infected for a second time in just over a year with a certain type of ransomware, RobbinHood, in which hackers lock up files using encryption so users can’t access them. The bad actors then demand payment to provide the cyber keys to unlock the files, typically in the hard-to-trace digital currency bitcoin.

The mayor's office explained the extent of the attack on the city’s network explaining that “critical systems, including 911 and 311, were not affected, but the majority of city servers were shut down.”

While the city does not comment on the level or type of security in place at the time of the attack, it is well-documented across the municipal IT industry that, due to the rapidly changing threatscape, protection at the perimeter via only Firewall, Endpoint and a SIEM is no longer sufficient.

Too often, both internal teams and service providers are only looking at the network from a point-in-time and scans perspective, focusing their monitoring on day-to-day known events like phone hacks, for example, where it’s common to monitor uptime, outbound long distance fraud alerts, and making assessments based on days-old log activity.

However, as Dr. Stephenson writes in this SC Magazine article about the future of cyber attacks:

“Virtually all credible predictions have one thing in common: emerging attacks will be intelligent. In simple terms that means that these attacks will have the ability to make decisions and, to some extent, control their own actions without the support of a bot herder or other human control entity. Some analysts believe that, because this new generation of malcode operates at machine speed, it will be virtually impossible for humans to react fast enough to have any impact on the attack.

Next generation tools and technology, specifically ones moving beyond the collection and analysis of logs and into advanced understanding (machine learning and AI) and real-time monitoring of all the data and transactions happening on a network (wire data). These components are necessary for next-generation defense.

Don Norris, a professor emeritus at the University of Maryland, Baltimore County, reinforces this issue in the article saying the city’s repeat victimization underscores how municipal governments struggle to keep computer networks safe:

“You’ve got increasingly sophisticated and very persistent bad guys out there looking for any vulnerability they can find and local governments, including Baltimore, who either don’t have the money or don’t spend it to properly protect their assets,” said Norris, who surveyed local government leaders about computer security in 2016. “I’m not surprised that it happened,” he said, “and I won't be surprised when it happens again.”

Capture Forensic Evidence

Another telling quote from the mayor’s office in this article -- revealing which network monitoring capabilities that municipal governments should consider when modernizing their security program -- is communicated by Davis here:

"By the afternoon, city teams had the ransomware quarantined. But the cause and scale of the problem were not clear Tuesday evening and Davis did not know when the affected systems would be back online."

Improved security posture can only be strengthened and reinforced with a strong in-house incident response capability and forensic record of network traffic. When attacks like this occur, the ability to not only identify the source quickly but also "replay" the traffic to see who else was infected is a must-have feature in a modern security system.

It’s sniper vs. sniper these days. Knowing how your adversary attacked you is just as important as how the attack happened in the first place.

Detect Zero-Day (Unknown) Events

Davis said the new attack in Baltimore was similar to one that affected the city of Greenville, North Carolina, last month. The ransomware variant in that case was identified as RobbinHood, a new form about which little is known.

It’s safe to assume moving forward that the bad guys creating intelligent malware will now code it to “live off the land,” meaning it will learn baseline network information and then, within that context, become an undetectable part of the network, adjusting autonomously, never needing a bot-herder and never needing instructions from a command and control server. (Beefing Up Your Next Generation Security Tool Set).

Simply put, always changing, zero-day events are always evolving, and unique to each environment it attacks. So yes, little will be known about these zero-day events.

However, there are ways to fight fire with fire.

These zero-day, non-fingerprinted events won’t show up on intel feeds, because they have never been seen before. Therefore, next-generation monitoring platforms utilizing context-aware AI to understand and analyze regular traffic patterns can be leveraged to alert teams to anomalies before they even register as security events on a given intel feed.


This post was written and contributed to by two team members:

Michael-Paul Yelland, Principal IoT Researcher & Founder of AMCyber

Russell Gray, Director of Client Success


Learn more about MixMode’s approach to context-aware AI and how it dynamically establishes baselines of your network environment, identifies threats and sends immediate alerts, and helps prevent attacks on critical data systems.

Blogs You Might Also Like

SC Magazine: Beefing Up Your Next Generation Security Tool Set

5 Ways to Modernize Your MSSP Security Monitoring Program

Intro to Wire Data: Why Should I Care When I Already Have Log Files?

How AI is Solving the False Positives Problem in Network Security