Baltimore Ransomware Cyber-Attack Case Study Part 1...

 This was the day when Baltimore city was Cyber-attacked by Ransomware...this interview of the authorities is cited from the MIT, Edx platform  

INSIGHTS

On May 7, 2019, Baltimore city government computers were infected with ransomware, locking up files using an encryption device that left users unable to access critical information. As a result, important city servers had to be shut down. The attackers demanded a payment of about $75,000 in bitcoin in exchange for which they promised to provide the city with cyber keys needed to unlock the encrypted files. The Mayor refused to pay the ransom (in line with a policy at the time adopted by the US Conference of Mayors). Later, the city's budget office estimated that the cost of recovery amounted to more than $18 million.

[Todd Carter, Acting Chief Information Officer, Baltimore, MD]

“My first day, at Baltimore City as the deputy CIO at the time, was May 6. Came in, did all kinds of meeting requests. And the next day, May 7, the Ransomware hit. And at that point in time, there was something going on. People were coming going back and forth between floors, and that's when we realized that the Ransomware had struck Baltimore City. What we found out later was that earlier that morning we had people get alerts that identified that something was going on within our system. That's when we started to realize that we had been attacked.”

[Eric Costello, Councilman, Cybersecurity and Emergency Preparedness Committee Co Chair, Baltimore, MD]

“I found out about the attack early in the morning of May 7, about 2:00 in the morning when my email on my mobile device was not updating. Frank Johnson, who was the CIO, did not communicate with members of the council. It was really frustrating and disappointing. We wanted to be able to get information out to our constituents about the public facing systems that were not online, as well as let our constituents know that we're still open for business and that we could support them, but that email was down and that our voicemail was down as well. So without having that information communicated to us by CIO at the time, we weren't able to get that information out there. We were a bit operating in the dark, if you will, as to what exactly was going on.”

[Sheryl Goldstein, Deputy Chief of Staff of Operations, Batlimore, MD]

“I do think one of the things that was unique to Baltimore about the cyber attack is we were undergoing a mayoral transition at the time. And so the former mayor had gone out on a leave and then formally resigned. The new mayor was the ex-officio mayor, but was sworn in as mayor two days after the cyber attack. He was still putting together his leadership team, and so I actually did not come to work in the city until about a week after the cyber attack had unfolded. I knew the cyber attack had happened, and I was in communication to get myself up to speed with our leadership team who was working on this issue within the first few days of the cyber attack. Our IT department was undergoing their own forensic analysis and looking at the impacts on systems. We really dispatched our city stat analysts to each of the agencies to talk to each agency about what systems of theirs had been impacted, how it was impacting their operations, and to understand what the biggest priority issues were in terms of operations and providing services to the city and to the residents that were impacted by the cyber attack. When the attack happened, the city was severely impacted, in terms of its access to information. In the short term, people were unable to use email, unable to access our shared drives and systems. And as a matter of security precautions, our agency is that connected to outside systems, those connections were severed to protect the outside entities until we felt that everything was secure. So for the first several weeks we were severely limited.”

[Todd Carter, Acting Chief Information Officer, Baltimore, MD]

“It was somewhat surreal because how pervasive was the attack? We knew it was Ransomware, so our team reached out to see if we could determine did they have the keys to decrypt encrypted files. At that point in time, we found out that it didn't. It was another strand of Ransomware called, RobinHood. So our initial communication to the organization was one, we let the leadership know the mayor and the cabinet and officials know that this is what's going on. Two, we let the broad employees know, unplug your machines. Let's stop the potential spread. We put out an alert, as well. That's how we got the word out. We also went out to our Office of Emergency Management Director. We also had to communicate with the Secret Service, Homeland Security, and the FBI. They came on site right away. We also reached out to the MSI SAT, the Maryland State Information Sharing group so that other state agencies would know. Realizing that we were hit, our first action was to stop the spread and then begin to let everyone, internally within Baltimore, know but also our external stakeholders and partners too. What we found when we pulled the plug-- we're talking in the span of hours that span into one day versus the next-- we had some people, they were just pulling plugs from some of their machines. They were disrupting their phones because they would pull the VoIP connection line. So we literally had to restate, just leave your machine as it is. Don't touch anything. So we gave that additional guidance out once we found that our phones were working fine, our public safety organizations were working fine. We had to just give more specifics onto what you need to do until we find out what was really going on. And we needed those machines on so that we can deploy our security agents.”

[Sheryl Goldstein, Deputy Chief of Staff of Operations, Baltimore, MD]

“The number one issue was this lean release issue. In the first week, we quickly understood that people weren't going to be able to buy and sell homes unless we made a determination about how to fix this problem. Because of the financial impact, just from an IT perspective for the cyber recovery effort, there's been about a $10 million price tag on that. In terms of our lost or deferred revenues, our fiscal office has projected $8 million, but at this point we can't conclusively say how much is lost revenue and how much is deferred revenue. And we know that we're going to have lost penalties, for example, in late fees because for our parking tickets and our water bills. Since people were not able to pay those online we suspended all fees and penalties, which was the right thing to do, of course. And so those types of penalties and fees we will not recover. There will certainly be some lost revenue but much of it will be deferred revenue as opposed to lost. At the other end of the spectrum, in terms of scale, was a small problem but could be a very significant problem in that the database at the fire department that contained the information about houses that had burned down, you weren't able to access that. If anybody has significant damage to their home and was filing an insurance claim, they needed access to those documents and that information. But the system was ultimately recovered in a short period of time so that people were able to move forward with their claims, so that they could get the relief they needed. We looked at a lot of different aspects and did everything we could to prioritize things that were customer facing, citizen facing, so that we could restore operations in a strategic, smart, citizen, friendly way. Again, there's no question it had a significant impact on the city being able to operate until we could get everybody-- their computers back up and get email back up. And we had between 1,500 and 2,000 computer, either laptops or hard drives, that had been impacted by the Ransomware attack. We had to replace them. And then every single city employee had to re-authenticate themselves. And having a new password that had certain password parameters, the BCIT developed a protocol for that. And we went agency by agency and then we tracked what percentage of users were back on. And then it was most challenging for the police, and our department of public works, and at a number of remote locations, and people working shift work trying to get everybody back in and back on. But from probably within a week's time of that authentication process, about 85% of our users were back online, and that got things up and going again.”

[Eric Costello, Councilman, Cybersecurity and Emergency Preparedness Committee Co Chair, Baltimore, MD]

“The attack wasn't really the issue. It was-- it was more so how the CIO responded to it. There were a number of issues, again, with his lack of communication, the posture that he took with external vendors. So there are a number of different issues associated with the CIO. The lack of coordination and communication, I think, are the two biggest things.”