Federal authorities are working with the Baltimore City Office of Information and Technology to figure out how hackers managed to infiltrate municipal computer systems on Tuesday morning, holding employeesโ computers hostage unless they coughed up a Bitcoin ransom.
BCIT Director Frank Johnson told reporters this morning that the FBI is investigating the ongoing Robbinhood ransomware virus outbreak, and has confirmed itโs โa fairly new variant that is quite aggressive. Technicians right now are trying to remediate the root cause [and] exactly whatโs been impacted and affected.โ
Dave Fitz, a spokesman for the FBIโs Baltimore field office, confirmed investigators are working with the city to identify what caused the attack.
โWe are currently collaborating with the Cyber Division at FBI Headquarters and other FBI field offices to see commonalities in this ransomware attack and others that have occurred in the past,โ he said in an emailed statement. โWe are working to track the actors and identify and disable the technical infrastructure to prevent future attacks.โ
Johnson said he couldnโt yet say how the infection began because itโs still under investigation. As for how long until employees can get back to using their computers, he said, โthatโs still being assessed. As soon as we know how long the city will be offline, we will communicate that to everyone.โ
Employees at various agencies sat down at their desks yesterday to find a note on their screen telling them to pay up if they wanted to get access to their data back. One employee at City Hall confirmed to Baltimore Fishbowl this morning that theyโre still locked out of their work computer, and said staff have been asked not to use their phones.
Another city employee who asked to remain anonymous sent along a shot of their computer being held hostage yesterday.
โWeโve watching you for days and weโve worked on your systems to gain full access to your company and bypass all of your protections,โ the grammatically flawed but ominous ransomware notice read. โYou must pay us in 4 days, if you donโt pay in the specified duration, the price increases $10,000 each day after the period.โ
While lacking in proper punctuation, it was aggressive in tone: โAll procedures are automated so donโt ask for more times or somthings [sic] like that we wonโt talk more, all we know is MONEY. If you donโt care about we wont too. So do not waste your time and hurry up! Tik Tak, Tik Tak, Tik Tak!โ
The message asked for 13 bitcoins as ransom, equivalent to about $76,282 at the current exchange rate. It provided a link for shut-out employees to send the money.
Mayor Bernard C. โJackโ Young said this morning that officials have no plans to pay the hackers, who are using what officials say is a new form of software known as Robbinhood. At least one other city, Greenville, North Carolina, was recently hit with the same software, also prompting a federal investigation.
โNo, I will not pay a ransom to anybody,โ Young said in response to a reporter.
Young and Johnson both stressed that public safety-related systems are operational, including 911 and 311. โAnd for now, if anyone needs to contact the city, the best way is to pick up the plain old telephone and give us a call,โ Johnson said. โAll of our phones are working.โ
The ransomware attack also left city and county utility customers out to dry, leaving them unable to pay their water and sewer bills online. As a result, the Department of Public Works has suspended late fees until further notice.
Young said heโs considering putting municipal employees to work elsewhere if they stay locked out of their computersโincluding cleanup duty on city streets, one of his chief stated goals upon entering into the mayorโs office last week.
โIf we are in this for longer than we anticipate, I will be asking city employees who really canโt do their work because of their computer systems, Would they be willing to go out and help us clean up the city?โ he said.
The attack marks the second ransomware virus to breach city systems in just over a year. In March 2018, hackers shut down Baltimoreโs 911 system for a day after breaching the cityโs dispatch system for 911 and 311 calls.
Johnson said he could not comment on how often BCIT identifies and patches vulnerabilities, saying that detail is part of the federal investigation, but assured, โwe have a very, very good capability.โ He said there have been multiple assessments of Baltimoreโs IT infrastructure since he arrived in 2017.
โUnfortunately, thereโs a race between bad actors and the cybersecurity industry,โ he said. โOnce they know how to mitigate and keep bad things out, the bad guys go one step ahead of them, and weโre in this vicious race.โ
This story has been updated.
