Skip to content
Naked Security Naked Security

The city of Baltimore is being held hostage by ransomware

The mayor said no—for now—to paying 13 Bitcoins to (purportedly) unlock all seized systems. Manual rebuilding could take months.

The US city of Baltimore has been partially paralyzed since 7 May, when a ransomware attack seized parts of the government’s computer systems.

As soon as the city discovered that it had been attacked, it informed the FBI and took its systems offline in an effort to keep the infection from spreading.

But not before the attack took down voicemail, email, a parking fines database, and a system used to pay water bills, property taxes and vehicle citations. Real estate transactions were also shut down.

It was lousy timing, given that this is one of the real estate industry’s busiest times of the year. The Baltimore Sun reported that hundreds of property sales could have been affected: A real estate agent with access to industry data told the newspaper that at least 1,500 sales were pending in Baltimore.

But a sliver of good news came on Monday, when Mayor Bernard Young’s office announced that the city had developed a manual workaround that would allow real estate transactions to resume during the outage.

On Friday, the mayor’s office had said that the city is “well into the restorative process.” The work includes rebuilding some systems in a way that will ensure that when business functions are restored, they’ll be functioning securely.

According to Fox News, a recent analysis of the city’s cybersecurity defenses found that the network was “out of date in terms of security, staffing, and infrastructure to prevent attacks.”

Unlike both Greenville and Atlanta – which was hit by a SamSam attack last year – Baltimore doesn’t have an insurance policy to cover cybersecurity incidents. Baltimore’s head of computer security reportedly told City Council members last year at a budget hearing that the city needed one, but it didn’t happen.

Expect that to change: a spokesman for Young told the Baltimore Sun that the mayor has now directed the city’s finance and law departments to get coverage.

A long mop-up

In Friday’s update, Mayor Young’s office said that it could take months to restore all services. From the media release:

I am not able to provide you with an exact timeline on when all systems will be restored. Like any large enterprise, we have thousands of systems and applications.

The city has established a web-based incident command, shifted operations into manual mode and established other workarounds to keep delivering services.

The ransom: 13 Bitcoins for all you can eat

Baltimore has a choice: it can spend months getting its technology back online, or it can give in to the attackers’ demands. 13 Bitcoins – worth about US $100,000 – is now standing between Baltimore and what would purportedly be a full restore of its systems. Mayor Young told local reporters on Monday that the city might pay up at some point, but at this point, that’s a negative:

Right now, I say no.

But in order to move the city forward, I might think about it.

Ransomware galore

In recent months, we’ve covered several severe attacks, including one in which the malware author behind a new type of ransomware called MegaCortex geeked out and distracted victims with Matrix film references.

We saw another attack at the beginning of the year, against a slew of US newspapers, that delayed their publication. And then in February, a targeted attack against a hospital involved two GandCrab ransomware attacks.

What to do?

Defending against a determined, targeted attack demands defense in depth, and, as in many things, prevention is better than cure. That starts with ensuring that access to RDP (Remote Desktop Protocol) is secure and finishes with regular, comprehensive, off-site backups, with much else in between.

To read more about those things and the preventive steps you can take to protect yourself against targeted ransomware of all stripes, read our article on how to defend against SamSam ransomware.

Fortunately, the same advice that we gave to help to protect from SamSam will also help against ransomware – and cybercrime – in general, so please revisit it now.

We also urge you to read the SophosLabs 2019 Threat Report, in which Sophos researchers analyze the state of play in cybercrime today, including a section on ransomware.

Finally, visit to read more about anti-ransomware technologies, including Sophos Intercept X.


This article is utterly useless without the details. For once – I think it would be interresting to know which operating system platforms are being used by Baltimore Government institutions, what was the attack vector, etc.


Details like that aren’t going to pop out with an FBI investigation in progress.

[URL redacted]

Attribution is key on this one – the payload is “hand delivered” by an active attacker penetrating the target network – that’s what makes this so successful. The payload isn’t worming it’s way around waiting on a phish or an open SMBv1 port….


On Friday, the mayor’s office had said that the city is “well into the restorative process.” The work includes rebuilding some systems in a way that will ensure that when business functions are restored, they’ll be functioning securely.

So based on this statement, they weren’t functioning securely and with so many systems that are sensitive with PII I am sure … sounds like there is negligence involved everywhere


No mention of backups, as a system administrator I consider backups to be a priority along with monitoring my network’s traffic, antivirus, and patching. I use both an automatic online service and in house backups. I joke that I have backups of backups. I think I read on NS once, “the only backup you’ll regret is the one you didn’t create.” Watching network traffic has revealed holes in my firewall. I had a security camera recorder that became infected with a botnet, it was sending tons of data to the internet day and night.


Yes, that “quotable quote” about regretting not having a backup is one of ours :-)

As for having “backups of backups”, I wouldn’t call that a joke, I would consider it correct. After all, at the point your primary copy fails or gets trashed, your backup becomes *the* copy and thus your backup backup becomes your backup.

I realise you can extend that indefinitely, but double backup in two different locations really is a great policy if you can afford the time and effort to do it. There are lots of reasons you might get excluded from your main place of work – fire, flood, building work, gas leak, etc. – that are not exactly far-fetched and that make the idea of a backup elsewhere a pretty good idea.

If you regularly make an encrypted backup (safe against anyone else) you can make a deal with a friend to swap them and keep one at each other’s place. Just to be sure, to be sure.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!