Photo via city employee

Federal authorities are working with the Baltimore City Office of Information and Technology to figure out how hackers managed to infiltrate municipal computer systems on Tuesday morning, holding employees’ computers hostage unless they coughed up a Bitcoin ransom.

BCIT Director Frank Johnson told reporters this morning that the FBI is investigating the ongoing Robbinhood ransomware virus outbreak, and has confirmed it’s “a fairly new variant that is quite aggressive. Technicians right now are trying to remediate the root cause [and] exactly what’s been impacted and affected.”

Dave Fitz, a spokesman for the FBI’s Baltimore field office, confirmed investigators are working with the city to identify what caused the attack.

“We are currently collaborating with the Cyber Division at FBI Headquarters and other FBI field offices to see commonalities in this ransomware attack and others that have occurred in the past,” he said in an emailed statement. “We are working to track the actors and identify and disable the technical infrastructure to prevent future attacks.”

Johnson said he couldn’t yet say how the infection began because it’s still under investigation. As for how long until employees can get back to using their computers, he said, “that’s still being assessed. As soon as we know how long the city will be offline, we will communicate that to everyone.”

Employees at various agencies sat down at their desks yesterday to find a note on their screen telling them to pay up if they wanted to get access to their data back. One employee at City Hall confirmed to Baltimore Fishbowl this morning that they’re still locked out of their work computer, and said staff have been asked not to use their phones.

Another city employee who asked to remain anonymous sent along a shot of their computer being held hostage yesterday.

“We’ve watching you for days and we’ve worked on your systems to gain full access to your company and bypass all of your protections,” the grammatically flawed but ominous ransomware notice read. “You must pay us in 4 days, if you don’t pay in the specified duration, the price increases $10,000 each day after the period.”

While lacking in proper punctuation, it was aggressive in tone: “All procedures are automated so don’t ask for more times or somthings [sic] like that we won’t talk more, all we know is MONEY. If you don’t care about we wont too. So do not waste your time and hurry up! Tik Tak, Tik Tak, Tik Tak!”

The message asked for 13 bitcoins as ransom, equivalent to about $76,282 at the current exchange rate. It provided a link for shut-out employees to send the money.

Mayor Bernard C. “Jack” Young said this morning that officials have no plans to pay the hackers, who are using what officials say is a new form of software known as Robbinhood. At least one other city, Greenville, North Carolina, was recently hit with the same software, also prompting a federal investigation.

“No, I will not pay a ransom to anybody,” Young said in response to a reporter.

Young and Johnson both stressed that public safety-related systems are operational, including 911 and 311. “And for now, if anyone needs to contact the city, the best way is to pick up the plain old telephone and give us a call,” Johnson said. “All of our phones are working.”

The ransomware attack also left city and county utility customers out to dry, leaving them unable to pay their water and sewer bills online. As a result, the Department of Public Works has suspended late fees until further notice.

Young said he’s considering putting municipal employees to work elsewhere if they stay locked out of their computers–including cleanup duty on city streets, one of his chief stated goals upon entering into the mayor’s office last week.

“If we are in this for longer than we anticipate, I will be asking city employees who really can’t do their work because of their computer systems, Would they be willing to go out and help us clean up the city?” he said.

The attack marks the second ransomware virus to breach city systems in just over a year. In March 2018, hackers shut down Baltimore’s 911 system for a day after breaching the city’s dispatch system for 911 and 311 calls.

Johnson said he could not comment on how often BCIT identifies and patches vulnerabilities, saying that detail is part of the federal investigation, but assured, “we have a very, very good capability.” He said there have been multiple assessments of Baltimore’s IT infrastructure since he arrived in 2017.

“Unfortunately, there’s a race between bad actors and the cybersecurity industry,” he said. “Once they know how to mitigate and keep bad things out, the bad guys go one step ahead of them, and we’re in this vicious race.”

This story has been updated.

Avatar photo

Ethan McLeod

Ethan McLeod is a freelance reporter in Baltimore. He previously worked as an editor for the Baltimore Business Journal and Baltimore Fishbowl. His work has appeared in Bloomberg CityLab, Next City and...