Baltimore Ransomware Attack Takes Strange Twist

Kelly Jackson Higgins

Kelly Jackson Higgins

Tweet suggests possible screenshot of stolen city documents and credentials in the wake of attack that took down city servers last week.

A mysterious and newly created Twitter account on May 12 posted what purports to be a screenshot of sensitive documents and user credentials from the city of Baltimore, which was hit late last week by a major ransomware attack.

Researchers at Armor who have been investigating the so-called Robbinhood ransomware malware used in the attack on the city discovered the post. They say it could either be from the attacker, a city employee, someone with access to the documents — or even be just a hoax. The city is still recovering from the May 7 attack, which has disrupted everything from real estate transactions awaiting deeds, bill payments for residents, and services such as email and telecommunications.

Ransomware attacks typically are all about making money: Attackers demand a fee to decrypt victims’ files they have accessed and encrypted. Whether the tweet came from the attackers trying to put the squeeze on the city to pay up or threatening to abuse the kidnapped information is unclear.

City officials previously have said they have no plans to pay the ransom. “I think the mayor was very clear: We’re not paying a ransom,” said City Council president Brandon Scott in an interview yesterday on a local CBS affiliate.

Eric Sifford, security researcher with Armor’s Threat Resistance Unit (TRU), discovered the Twitter post appearing to taunt or threaten Baltimore officials. He says he’s not sure whether the tweet came from the actual attackers. “They are trying to make a statement … and to show that they not only were able to encrypt major portions of network of the city …. but they have a lot of internal access,” as well, if the documents in the screenshot are legitimate, Sifford says.

Armor today will post a blog with an obfuscated shot of the tweet and account to ensure the City of Baltimore gets the chance to change the posted usernames and passwords if, indeed, they are legit.

Dark Reading has viewed the full Twitter account and post but is only publishing the obfuscated information.

Source: Armor

Source: Armor

Meanwhile, the Robbinhood attackers in their ransom note demanded $17,600 in bitcoin per system — a total of about $76,280, according to analysis by Armor. The bitcoin wallet for the ransom for the city had not been used at this time, the researchers say, indicating the city has kept its vow not to pay.

Most of Baltimore’s servers were shut down as officials investigated the attack last week, but its 911 and 311 systems were not hit, according to reporting by The Baltimore Sun. When the attack was spotted, employees at City Hall were told to unplug Ethernet cables and shut down their computers and other devices to stem the spread of the malware, Baltimore city councilman Ryan Dorsey told the Sun.

Efforts today to reach some Baltimore city officials, including the office of the city’s newly named mayor, Bernard C. Jack Young, were unsuccessful in several cases, in part because email is down for many employees, and several departments are instead using Google Voice voicemail to get messages.

A spokesperson for Baltimore City Council Member Zeke Cohen, with whom Dark Reading was able to contact, said Cohen’s office did not have any information on the tweet, nor could they verify whether the information and documents in the screenshot are from the information encrypted by the ransomware attackers.

Security expert John Bambenek, director of cybersecurity research at ThreatStop, says the tweet looks relatively legitimate. “Either someone spent real effort trying to find documents from public sources or it’s our guy. Either way, he just put himself on the menu for the FBI if he’s not,” Bambenek says.

‘Hurry Up!’
Armor said the Robbinhood ransom note also warns the city not to call the FBI, or risk the attackers going away and leaving the files encrypted. “We’ve watching you for days and we’ve worked on your systems to gain full access to your company and bypass all of your protections,” the ransom note said, specifying payment within four days or the fee would increase. After 10 days, the data would no longer be recoverable, the note said, according to Armor.

“We won’t talk more. All we know is MONEY! Hurry up! Tik Tak, Tik Tak, Tik Tak!” the note read, according to Armor.

The same ransomware recently hit the city of Greenville, N.C., as well as several power companies in India last month, according to the security firm.

Meanwhile, Baltimore’s ransomware attack is one of 22 against state and local government entities so far in 2019, Armor notes. Other victims including Washington, Pennsylvania; Amarillo, Texas; Cleveland Airport, Cleveland, Ohio; Augusta City Center, Augusta, Maine; Stuart, Florida; Imperial County, California; Garfield County, Utah; Greenville, North Carolina; Albany, New York; Jackson County, Georgia; Schools System of Taos, New Mexico; Del Rio, Texas; Atlanta, Georgia; and Leominster, Massachusett

Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Think Your Business Is Too Small to Get Hacked? Wake Up!

Think Your Business Is Too Small to Get Hacked? Wake Up!

Andy Norton

by Andy Norton

digital security small business owners FISixty percent of small- to mid-sized businesses (SMBs) go bankrupt six months after suffering a cyberattack. The risk is simply too great. SMBs need to strengthen their digital security.

UberEquifaxYahoo…if you look only at the headlines, you’d probably think that digital attackers target just large corporations. Many small business owners are of this viewpoint. According to a 2017 survey by Paychex, more than two-thirds (68 percent) of small business owners are not worried about their business being hacked. Not only that, but the same study revealed that 90 percent of small business owners feel at least somewhat confident that their organization could recover from a security incident in the event one happened.

This perspective boils down to the fact that many SMBs don’t feel they’re important enough to suffer a digital attack. As the Huffington Post found in a survey, small businesses reasoned that they’re safe because they don’t store sensitive information. But more than half of organizations admitted to storing email addresses (68 percent), phone numbers (64 percent), and billing addresses (54 percent). Such a disconnect suggests that SMBs don’t understand the value of the personally identifiable information (PII) they currently store.

It also explains why SMBs just aren’t investing in their digital security. This reality became apparent in a 2015 small business technology survey conducted by Time Warner Cable Business Class (TWCBC). In the study, a third of small business owners said that they manage their own network security solutions, while 27 percent disclosed that they don’t use any security solution.

These findings are consistent with those of other studies, including the following:

  • The vast majority of businesses divulged to the Huffington Post that they’re doing little to prepare themselves against online threats. This lack of preparation extends to their dismissal of basic digital security hygiene. For example, just 38 percent of SMBs stated that they upgrade their security solutions and 22 percent encrypt databases.
  • Sixty-five percent of respondents to a 2017 Ponemon Institute report laid bare that they don’t strictly enforce their own password security policies.
  • PwC survey found that companies with less than $100 million in revenue actually reduced their digital security spending. They cut their budgets despite the fact that digital attacks themselves became more numerous than ever over the course of the year.

Clearly, many small- and mid-sized businesses have simply dismissed the notion that they need to worry about digital security. CloudEntr uncovered as much when 60 percent of SMBs said that recent data breaches had no impact on their security policies. It’s, therefore, no surprise that three-quarters of SMBs told IDT911 that they don’t have any cyber insurance. They don’t think they’ll suffer an attack themselves, so why waste resources in protecting themselves in the event that they suffer one?

The Consequences of Treating Digital Security as an Afterthought

Such an inadequate response to digital security threats has had a, well, predictable response. As the U.S. Securities and Exchange Commission found back in 2015, small businesses have increasingly become easier targets for digital attackers than enterprises, as SMBs possess fewer resources with which they can defend themselves against the same types of digital threats targeting large enterprises. This disparity makes SMBs softer targets for online criminals. Indeed, it’s no wonder why data compiled by SCORE showed that almost half of all digital attacks (43 percent) now target small businesses.

Not surprisingly, it’s also bad when one of these digital attacks is successful. Without proper digital security safeguards, bad actors can essentially run through a victim SMB’s network and do whatever they want. And without cyber insurance, SMBs have little chance of recovering from the costs associated with a data breach. That’s why 60 percent of small businesses go bankrupt just six months after suffering a digital attack, as reported by BankInfoSecurity.

The Future of Digital Security for SMBs

Small business owners – you really need to step up your game if you hope to adequately protect your business against digital threats. And we get it, that you wear many hats and security may not be one of them. But you don’t have to figure it all out yourselves and go it alone.

Most SMBs obviously aren’t large enough to have their own security teams, but you can look to the expertise and capabilities of a security services provider that can fulfill your digital security needs. Just don’t go with the first managed security services provider (MSSP) you find. It’s essential to do your research carefully and look for a company that uses an AI-based security solution to monitor the network for suspicious activity while helping its own analysts navigate the growing flood of alerts across their entire client base. Otherwise, as I said before, the volume of alerts will outstrip their capacity to investigate them, increasing the risk that an attack will get past their defenses and reach your business.

That’s where Lastline comes in. Unlike other AI solutions, Lastline blends network traffic analysis with sandboxing to monitor for anomalous behavior and to evaluate these findings for malicious indicators. This technique enables Lastline to provide high-fidelity insights into what’s truly going on without generating false positives that waste the MSSP analysts’ time.

We have selected and trained very high-quality MSSPs to use our software on behalf of their SMB customers. It’s a relationship that could save your business without requiring you to become a security expert so that you can continue to focus on all of the other parts of keeping your business running smoothly.

The post Think Your Business Is Too Small to Get Hacked? Wake Up! appeared first on Lastline.

*** This is a Security Bloggers Network syndicated blog from Blog – Lastline authored by Andy Norton. Read the original post at: