Did Baltimore city pay the ransom?

In May 2019, Baltimore city government computer systems were hit by a ransomware attack that prevented employees from sending emails and disrupted real estate sales, water bills, health alerts and many other services. The attackers demanded 13 bitcoin (around $76,000 at the time) to release the encrypted files. Rather than pay, Baltimore city officials refused to negotiate and instead worked to restore systems and data from backups. This high-profile attack raised pressing questions: Should public agencies ever pay ransoms? Does refusing to pay incentivize future attacks? Here we examine the strategic, ethical and legal considerations around ransomware payments by government entities.

What was the impact of the Baltimore attack?

The ransomware attack severely disrupted municipal operations for weeks. Employees were locked out of email, payment systems, and databases they relied on for their daily work. The city had to shut down automated systems for home sales, some utility billing, parking tickets, and business licenses. 911 dispatchers had to manually dispatch calls. Poll workers had to check in voters by paper for the city council election. Trash pickup was delayed as routes had to be scheduled manually. In total, the attack cost the city over $18 million in restoration efforts and lost revenue. While the city was able to slowly restore systems from backups, some data was unrecoverable. The attack showcased the major vulnerabilities cities face against modern cyber threats.

What kind of ransomware was used?

The specific ransomware used against Baltimore was called RobbinHood. It is a variant that encrypts files, deletes backups, and makes encrypted files undetectable to antivirus software. A ransom note was left on infected computers demanding payment in bitcoin to receive a decryption key. RobbinHood exploits weaknesses in older Windows operating systems. It spreads rapidly across networks by stealing administrator credentials and moving laterally. Similar ransomware strains have been used in many other high-profile attacks against cities and companies worldwide.

Should Baltimore city have paid the ransom?

Whether to pay ransoms to criminal hackers is a complex dilemma. There are reasonable arguments on both sides:

Reasons to pay:

  • It’s often the quickest way to regain encrypted data and restore services.
  • Paying small ransoms is cheaper than rebuilding compromised systems.
  • Paying may prevent future attacks by proving the city will pay up.
  • Taxpayers expect services to be restored quickly at any cost.

Reasons not to pay:

  • Paying rewards and incentivizes criminal hackers to continue attacks.
  • There are no guarantees encrypted data will be released.
  • It sets a precedent that the city negotiates with cyber terrorists.
  • Taxpayer funds should not bankroll illegal cyber crime activity.

In the case of Baltimore, the $76,000 ransom was a relatively small price to pay to immediately restore critical city services. However, paying ransoms funds criminal enterprises and there was no guarantee the hackers would provide working decryption keys. Refusing to pay sent a strong message that Baltimore will not be manipulated by cyber extortion.

What were the pros and cons of Baltimore’s response?

Baltimore took a firm stance to not pay the ransom or negotiate with the attackers. This had both benefits and drawbacks:

Pros:

  • Showed resolve to withstand cyber extortion.
  • May deter future ransomware attacks.
  • Avoided bankrolling criminal hackers.
  • Forced departments to overcome outage challenges.

Cons:

  • Restoration took longer without keys.
  • Some data and hardware were unrecoverable.
  • Citizens suffered weeks of service disruptions.
  • Response costs exceeded the ransom amount.

In the end, refusing to pay the ransom was arguably the ethically and legally correct decision, though it came at a high operational cost. Baltimore proved it had the resilience to eventually recover without paying, though many small businesses and cities do not.

What security measures did Baltimore implement after the attack?

In the aftermath, Baltimore took steps to harden its security and prevent future attacks:

  • Replaced older unsupported Windows systems vulnerable to RobbinHood.
  • Segmented networks to limit lateral ransomware spread.
  • Implemented new endpoint detection and response tools.
  • Invested in additional staff cybersecurity training.
  • Enhanced network monitoring capabilities.
  • Increased use of cloud services and offsite backups.

By modernizing infrastructure, improving defenses, and backing up critical data offline, Baltimore aimed to be a far tougher target in the future. Nevertheless, ransomware remains an ongoing threat that all cities must vigorously defend against.

Should governments ban ransom payments?

Some federal law enforcement voices have advocated legally prohibiting ransom payments by public agencies. The argument is that banning payments will deter attacks by eliminating the economic incentive. However, outright bans are controversial for several reasons:

  • Bans could perversely increase attack severity as hackers have no incentive to unlock systems.
  • Public pressure often forces payments despite bans in major outages.
  • White hat third parties can legally pay if public entities are banned.
  • Blanket bans reduce flexibility in responding to attacks.

Rather than explicit legal prohibition, a more nuanced policy could set guidelines advising against payment except for saving lives or critical infrastructure. This retains flexibility while discouraging payment. More importantly, bolstering cyber defenses remains the top priority for preventing successful ransomware attacks regardless of payment policies.

How does insurance cover ransomware attacks?

As ransomware attacks increase, cyber insurance is becoming crucial for public and private entities. Policies may cover:

  • Costs for incident response and digital forensics.
  • Business interruption and recovery expenses.
  • Replacement of compromised hardware.
  • Notification costs and victim credit monitoring.
  • Potential legal liabilities and fines.

However, insurers are increasingly wary of ransomware exposures. Some may refuse coverage unless rigorous security controls are implemented. And most cyber insurance policies do not cover ransom payments due to concerns over funding criminal activity. Baltimore reportedly had $20 million in cyber insurance to offset costs from the attack.

How can cities improve ransomware resilience?

The Baltimore attack highlighted key steps cities can take to improve ransomware resilience:

  • Isolate and upgrade legacy systems prone to ransomware.
  • Install next-gen antivirus and endpoint detection tools.
  • Enforce multi-factor authentication for all remote access.
  • Segment and monitor network traffic to detect threats.
  • Conduct frequent backups with offsite storage and redundancy.
  • Develop robust incident response and recovery plans.
  • Train employees on cybersecurity best practices.

Hardening defenses provides the best protection against crippling outages. However, no city will be impenetrable. Developing effective backup plans and emergency procedures can minimize disruption when ransomware inevitably penetrates defenses.

Key lessons from the Baltimore ransomware attack

Baltimore’s experience offers instructive lessons for cities facing the growing ransomware threat:

  • Modern ransomware spreads rapidly and can cripple digital services.
  • Legacy systems and lax security increase vulnerability.
  • Restoring from backups is slow, costly, and imperfect.
  • Outright payment bans are controversial and can backfire.
  • Cyber insurance helps share financial risk.
  • Cities must harden defenses and resilience procedures.

By studying cases like Baltimore’s response, other cities can prepare more effectively for the unfortunately near-certain ransomware attacks they will face in our increasingly digitized world. Careful proactive planning to avoid and recover from outages is essential.

Conclusion

The Baltimore ransomware attack of 2019 offers a sobering case study for government cyber resilience. By refusing payment and gradually restoring systems internally, Baltimore established a strong stance against rewarding criminal hackers. However, this came at a steep price in city services disrupted, revenue lost, and recovery costs far exceeding the ransom amount. Baltimore’s experience shows cities must devote greater resources to modernizing legacy IT systems, training employees on security, continuously backing up data, and developing robust emergency plans. Ransomware is among the most serious threats facing municipal governments today. Only by learning from past attacks can cities effectively harden defenses and implement policies that balance deterrence, recovery speed, cost, and the public interest. There are no easy choices, but proactive planning is key to managing ransomware risks and building urban cyber resilience.

References

  • Krebs, B. (2019, May 7). “Baltimore City Faces Ransomware Attack.” Krebs on Security. https://krebsonsecurity.com/2019/05/baltimore-city-faces-ransomware-attack/
  • Robertson, J. and Yurk, B. (2019, May 22). “How Baltimore’s ransomware attack froze thousands of city computers.” Baltimore Sun. https://www.baltimoresun.com/maryland/baltimore-city/bs-md-ci-ransomware-attack-city-20190521-story.html
  • Harwell, D. (2019, May 22). “Recovering from ransomware soars to an average cost of $1.2 million per attack.” The Washington Post. https://www.washingtonpost.com/technology/2019/05/22/recovering-ransomware-soars-an-average-cost-million-per-attack/
  • BRANDOM, RUSSELL. “THE BALTIMORE RANSOMWARE ATTACK HAS LASTED MORE THAN 2 WEEKS.” The Verge, The Verge, 7 June 2019, https://www.theverge.com/2019/6/7/18656585/baltimore-ransomware-robbinhood-two-week-timeline.
  • Katz, Jessica. “Estimates of the Costs of Ransomware Attacks Vary Wildly.” SCHNEIER ON SECURITY, 17 Aug. 2021, https://www.schneier.com/blog/archives/2021/08/estimates-of-the-costs-of-ransomware-attacks-vary-wildly.html.
  • O’Dwyer, Tony. “Baltimore Lived up to ‘Charm City’ Moniker after Crippling Ransomware Attack.” FreightWaves, FreightWaves, 11 Aug. 2021, https://www.freightwaves.com/news/baltimore-lived-up-to-charm-city-moniker-after-crippling-ransomware-attack.
  • Cimpanu, Catalin. “Baltimore to Adopt Continuous Monitoring after Ransomware Attack.” ZDNet, ZDNet, 30 July 2019, https://www.zdnet.com/article/baltimore-to-adopt-continuous-monitoring-after-ransomware-attack/.
  • “Cyber Risk Insurance & Policy.” III, https://www.iii.org/publications/cyber-risk-insurance-policy. Accessed 13 Nov. 2023.
  • Richards, Allen. “4 Ways to Improve Ransomware Resiliency and Response.” GCN, GCN, 10 May 2021, https://gcn.com/articles/4-ways-to-improve-ransomware-resiliency-and-response.html.