Naked Security Naked Security

Much-attacked Baltimore uses ‘mind-bogglingly’ bad data storage

IT workers have been storing files on their computers' hard drives. One councilman's alleged response: “That can’t be right? That’s real?”

Many staffers in the IT department of the much-hacked US city of Baltimore have been storing files on their computers’ hard drives – as in, they haven’t kept properly backed-up data, stored in the cloud or off-site, an audit has found.

The Baltimore Sun reports that Baltimore City Auditor Josh Pasch, who presented his findings last month to a City Council committee, told the committee that because of (outdated and strongly inadvisable) data backup habits, the city hasn’t been able to provide documentation regarding the IT department’s performance goals, which include modernizing mainframe apps.

Some key personnel kept files on their computers – files that were lost in a May 2019 ransomware attack that reportedly involved a strain of ransomware called RobbinHood. The attack partially paralyzed the city’s computer systems.

The Baltimore Sun quoted Pasch:

Performance measures data were saved electronically in responsible personnel’s hard drives. One of the responsible personnel’s hard drive was confiscated and the other responsible personnel’s selected files were removed due to the May 2019 ransomware incident.

The newspaper quoted an alleged exchange between Pasch and City Councilman Eric T. Costello, a former government IT auditor himself:

Costello: That can’t be right? That’s real?
Pasch: One of the things I’ve learned in my short time here is a great number of Baltimore City employees store entity information on their local computers. And that’s it.
Costello: Wow. That’s mind-boggling to me. They’re the agency that should be tasked with educating people that that’s a problem.

After the attack in May, Baltimore Mayor Bernard C. “Jack” Young not only refused to pay, he also sponsored a resolution, unanimously approved by the US Conference of Mayors in June 2019, calling on cities to not pay ransom to cyberattackers.

Baltimore’s budget office has estimated that due to the costs of remediation and system restoration, the ransomware attack will cost the city at least $18.2 million: $10 million on recovery, and $8.2 million in potential loss or delayed revenue, such as that from property taxes, fines or real estate fees.

The Robbinhood attackers had demanded a ransom of 13 Bitcoins – worth about US $100,000 at the time. It may sound like a bargain compared with the estimated cost of not caving to attackers’ demands, but paying a ransom doesn’t ensure that an entity or individual will actually get back their data, nor that the crooks won’t hit up their victim again.

The May attack wasn’t the city’s first; nor was it the first time that its IT systems and practices have been criticized in the wake of attack. The first publicly reported attack against the city came in 2018 when attackers went after Baltimore’s emergency service dispatchers.

How to protect yourself from ransomware

  • Pick strong passwords. And don’t re-use passwords, ever.
  • Make regular backups. They could be your last line of defense against a six-figure ransom demand. Be sure to keep them offsite where attackers can’t find them.
  • Patch early, patch often. Ransomware like WannaCry and NotPetya relied on unpatched vulnerabilities to spread around the globe.
  • Lock down Remote Desktop Protocol (RDP). Criminal gangs exploit weak RDP credentials to launch targeted ransomware attacks. Turn off RDP if you don’t need it, and use rate limiting, two-factor authentication (2FA) or a virtual private network (VPN) if you do.
  • Use anti-ransomware protection. Sophos Intercept X and XG Firewall are designed to work hand in hand to combat ransomware and its effects. Individuals can protect themselves with Sophos Home.

For information about how targeted ransomware attacks work and how to defeat them, check out the SophosLabs 2019 Threat Report.