It has been nearly two months since a massive ransomware attack that hit the city of Baltimore, and the city is still in crisis, with residents still unable to pay bills and fines.
The city decided not to pay the as-yet unidentified hacker the ransom demand of 13 bitcoins (equivalent to approximately $80,000) and has instead tried to handle the incident themselves. Instead of paying up, the city administration shut systems down, bringing many services grinding to a halt with officials locked out of their data and systems.
Current estimates put the cost of recovering from the hack to be at least $18 million.
The attack encrypted vital files, rendering them unusable. Residents have been prevented from paying utility bills, parking tickets, and some taxes. They’ve also been blocked from obtaining business licenses, building permits and even buying and selling homes. The city has said the majority of systems are now back up and running but is still experiencing issues with processing payments.
However, the debate over the city’s response is still causing controversy and has caused the city to ask for the incident to be declared a federal emergency disaster which would allow for federal reimbursement for damages, costs and infrastructure repairs.
While that may seem a far-fetched claim, the hack has been linked to the EternalBlue exploit which the New York Times alleges was discovered by the NSA and kept secret for many years.
The exploit targets a bug in old versions of Microsoft Windows operating system and has been implicated in a range of cyber-attacks over the past three years, including the WannaCry assault that disrupted the UK’s National Health Service (NHS).
In the Baltimore incident, several sources have said that the ransomware arrived via a phishing attack against a city employee, who likely opened an unsafe link or attachment exposing their system to the attack. Once a foothold was established, code copied and pasted from the EternalBlue exploit helped the ransomware spread across the network.
Microsoft released fixes to the exploit in March 2017 and cybersecurity, and endpoint protection software providers moved quickly to ensure they had the flaw covered.
Many residents are asking why a two-year-old patch hadn’t been deployed heaping further pressure on the city’s IT team that is already under increased scrutiny, having seen four Chief Information Officers either resign or get fired over the past seven years – two leaving while under investigation. Combined with an unusually low IT outlay, this has paved the way for the current disaster.
However, as shown by the NHS WannaCry attack, organizations have been slow to react – especially those using older systems that require centralized updates to be rolled out. For many organizations roiling out patches can be a non-trivial exercise as specialized systems are often not compatible with the updates, and fixes need to be thoroughly tested.
The city first focussed on containing the ransomware and creating a quarantined environment from which the affected systems could be repaired. Since then, systems have slowly started coming back online, but the city has warned it will be a lengthy process before everything is back up and running.
If large organizations are struggling to keep ahead of attacks such as these, what lessons can we learn to ensure we too don’t fall foul to similar attacks?
The first is to ensure that all patches are installed swiftly after release and that people are trained to recognize malicious attacks.
Organizations and home users should also look to install comprehensive endpoint security systems that combine antivirus, firewall, and enhanced monitoring capabilities to aid in the prevention, detection, and remediation in the event of an attack. The best systems, such as Panda Dome, now use big data and AI to monitor every running application and detect attacks before they happen.
To learn more about the protective power of AI and how it can protect you right now, please download a free trial of Panda Security Dome.