As a result, employees were unable to send or receive email or electroni- cally process real estate sales, water billing and other services for weeks.
The incident has left experts and the public alike wondering how it happened and how it could have been prevented.
The RobbinHood malware used in the attack prevents access to a server without a digital key. According to a New York Times article, a central component of the ransomware was EternalBlue, a hacking tool developed by the National Security Agency and leaked to the public by the mysterious Shadow Brokers group in 2017. Eter- nalBlue was also used in the Wanna- Cry and NotPetya ransomware attacks that year.
NSA warned
Microsoft about the
vulnerability the tool
exploited when it
was leaked, and the
company quickly
issued a patch. But
Baltimore had not
updated its systems.
When ransomware
attackers scan the
internet for vulner-
able systems, they
find easy targets in underfunded enterprises running a hodgepodge of applications, some of which have aged out of support.
On May 29, Young released a statement saying the city was in the process of restoring email and com- puter access to city employees. Pub- lic safety agencies had priority, but services at other agencies were also being restored. According to the state- ment, a successful pilot solution was being rolled out citywide.
That same day, Councilman Isaac Schleifer tweeted that the financial impact of the attack could exceed $18 million. “There should have been more safeguards in place, and now we find ourselves in a very costly
predicament,” he told WBAL-TV 11.
How to prevent — or at least mitigate — an attack
Chris Duvall, a senior director at the Chertoff Group, said reliable backup systems can help mitigate a ransom- ware attack. Those systems should be tested and separated from networks to prevent access, and not all assets need to be backed up.
Brian Vecci, technical evangelist at Varonis Systems, acknowledged that backups help but cautioned that they aren’t a silver bullet.
“Almost every organization that gets hit with ransomware has back- ups,” but attackers can compromise those safeguards, too, he said. “If
you’re really, really smart [as an attack- er], you wait until the backups are overwritten or you encrypt the back- ups, too,” he said. “No one is going to solve the ransom- ware problem by having better back- ups.”
“If the only thing that governments did was start monitoring
file usage,
they would be much, much better equipped to prevent ransomware.”
— BRIAN VECCI, VARONIS SYSTEMS
In addition, offi- cials should moni- tor how file data is used and then make sure that users can access only what they need. According to Varonis Systems, about 20 percent of an organization’s data is accessible to every employee, which means that a Baltimore city employee who clicks on a malware-infected email message could instantly lock up 20 percent of
data.
“If the only thing that governments
did was start monitoring file usage, they would be much, much better equipped to prevent ransomware,” Vecci said.
Layered defense is also necessary to stave off ransomware attacks, Duvall said. That includes regularly training employees on cyber hygiene
July 2019 FCW.COM 35
in the malware used to carry out the ransomware attack on Baltimore’s IT systems in May.
NSA officials have disputed that allegation, and experts have debated whether the blame should fall on the city for failing to apply the security patches released by Microsoft two years ago.
Since the 2017 attacks,
the federal government has revamped its Vulnerabilities Equities Process, which pulls in representatives from key agencies to decide which zero-day vulnerabilities will be disclosed to the general public and which will be retained for intelligence or national security purposes.
Grant Schneider, U.S. chief information security officer and chairman of the VEP board, told reporters in April that although the government used to broadly search for and collect software vulnerabilities regardless of whether there was a clear use for them, that process has since become more targeted.
“We’re focusing our resources now on: ‘I’m trying to achieve a particular objective and...what vulnerabilities exist in order for me to achieve that objective?’” he said. “So it is far more narrowly focused than the broad- brush [approach].”
— Derek B. Johnson