Cyber ​​attack on Baltimore in 2019

from Wikipedia, the free encyclopedia

On May 7, 2019 unknown blackmailer attacked the computer systems of the city of Baltimore ( Maryland , USA on). They used a variant of the blackmail software ( ransomware ) RobinHood. This infected the computer systems of the city administration. Most systems failed or had to be shut down for security reasons.

course

The attack began early in the morning on May 7, 2019. Gradually, systems failed. When those responsible recognized the extent of the attack, they switched off the other systems in order to keep the damage within limits. At around 9 a.m., most of the city administration's computer systems had failed, and much of the data was encrypted.

Demands appeared on the screens that the city had to pay 3 Bitcoin per system or 13 Bitcoin (at the time of the attack, around 75,000 US dollars ) for the entire city ​​within three days in  order to receive the key to restore the data. The extortionists also threatened that the ransom would increase on the fourth day and that all data on the city would be lost on the tenth day.

The city hired security firms to regain control of systems and data. FBI and Secret Service investigated. It took Baltimore several weeks to restore the computer systems. On June 12, 2019, around 70 percent of employees were back online.

The city did not pay a ransom. Rather, it provided a $ 10 million emergency fund to restore and secure the systems.

Effects

The city's employees (around 7,000 PC users) could no longer access their PCs, and numerous citizen services such as water bills were canceled. Police and traffic administration struggled with problems with emails and telephones. Land and real estate sales could not be carried out. Around 1,500 property sales were delayed as a result. Only the police, fire brigade and emergency call systems continued to work.

According to estimates by the city, the damage totaled 18.2 million US dollars; approximately $ 10 million to restore and secure the systems and $ 8.2 million in lost revenue.

Technical background

The hackers used a fairly new variant of the RobinHood ransomware , which in turn exploited the EternalBlue vulnerability in older Windows systems . The ransomware was originally developed by the US foreign secret service NSA and exploited for its own purposes for several years. The NSA therefore did not report the EternalBlue vulnerability to Microsoft until it was forced to do so due to revelations by the hacker group Shadow Brokers in 2017. Microsoft closed the gap in the Windows systems immediately, but this only secured the systems on which the patch was installed. In the meantime, the vulnerability has been used by several malicious programs for attacks (besides RobinHood for example Wannacry ).

RobinHood does not spread over the network; rather, the software must be distributed across each individual system. The attackers must therefore have had administrative access to one of the systems beforehand and have gradually redistributed the spy software. Once started on a system, the software begins to encrypt the data. For this, a public RSA key must have been distributed to the systems before the attack .

Baltimore was not specifically selected, according to experts. Rather, such attackers scan a large number of systems until they accidentally find a security hole.

Investigations

No names or groups behind the attack were named.

Reactions and public discussion

The New York Times revealed that the malicious software from the NSA was developed with US tax agents and then - after the NSA software had slipped - for the extortion of American cities (in Baltimore already Allentown ( Pennsylvania ),   Greenville ( North Carolina ) and San Antonio ( Texas )) was used. The NSA and FBI declined to comment.

At the time of the attacks, the IT infrastructure in Baltimore and other American cities was not up-to-date. Those responsible in Baltimore had issued a warning a year earlier, but no corresponding funds were made available in the budget.

The Pirate Party Germany warned that such attacks on cities and infrastructure areas are also possible in Europe .

Individual evidence

  1. ^ A b Sean Gallagher: "RobinHood" ransomware takes down Baltimore City government networks. In: Ars Technica. May 8, 2019, accessed April 28, 2020 .
  2. a b c d e Niraj Chokshi: Hackers are holding Baltimore Hostage: How They Struck and What's Next. In: New York Times. May 22, 2019, accessed April 28, 2020 .
  3. a b c d e f Nicole Perlroth, Scott Shane: In Baltimore and Beyond, a Stolen NSA Tool Wreaks Havoc. In: New York Times. May 25, 2019, accessed on April 28, 2020 .
  4. a b c d Kai Biermann: NSA hacker software EternalBlue is becoming a boomerang. In: Zeit Online. May 26, 2019, accessed April 28, 2020 .
  5. ^ A b c Sean Gallagher: Baltimore ransomware nightmare could last weeks more, with big consequences. In: Ars Technica. May 20, 2019, accessed April 28, 2020 .
  6. a b c d e Daniel Barnes: Baltimore Ransomware Attack. In: CNS. June 13, 2019, accessed April 28, 2020 .
  7. Luke Broadwater: Baltimore tranfers $ 6 million to pay for ransom ware attack; city ​​considers insurance against hacks. In: The Baltimore Sun. August 28, 2019, accessed April 28, 2020 .
  8. a b Ian Duncan, Christine Zhang: Analysis of ransomware used in Baltimore attack indicates hackers needed 'unfettered access' to city computers. In: The Baltimore Sun. May 17, 2019, accessed April 28, 2020 .
  9. H. Saurugg: Hacker attack on the city council of Baltimore are as vulnerable European cities? Ed .: Pirate Party Germany. June 9, 2019.