Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/14/2019
04:30 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Baltimore Ransomware Attack Takes Strange Twist

Tweet suggests possible screenshot of stolen city documents and credentials in the wake of attack that took down city servers last week.

A mysterious and newly created Twitter account on May 12 posted what purports to be a screenshot of sensitive documents and user credentials from the city of Baltimore, which was hit late last week by a major ransomware attack.

Researchers at Armor who have been investigating the so-called Robbinhood ransomware malware used in the attack on the city discovered the post. They say it could either be from the attacker, a city employee, someone with access to the documents — or even be just a hoax. The city is still recovering from the May 7 attack, which has disrupted everything from real estate transactions awaiting deeds, bill payments for residents, and services such as email and telecommunications.

Ransomware attacks typically are all about making money: Attackers demand a fee to decrypt victims' files they have accessed and encrypted. Whether the tweet came from the attackers trying to put the squeeze on the city to pay up or threatening to abuse the kidnapped information is unclear.                              

City officials previously have said they have no plans to pay the ransom. "I think the mayor was very clear: We're not paying a ransom," said City Council president Brandon Scott in an interview yesterday on a local CBS affiliate

Eric Sifford, security researcher with Armor's Threat Resistance Unit (TRU), discovered the Twitter post appearing to taunt or threaten Baltimore officials. He says he's not sure whether the tweet came from the actual attackers. "They are trying to make a statement ... and to show that they not only were able to encrypt major portions of network of the city .... but they have a lot of internal access," as well, if the documents in the screenshot are legitimate, Sifford says.

Armor today will post a blog with an obfuscated shot of the tweet and account to ensure the City of Baltimore gets the chance to change the posted usernames and passwords if, indeed, they are legit.

Dark Reading has viewed the full Twitter account and post but is only publishing the obfuscated information.

Meanwhile, the Robbinhood attackers in their ransom note demanded $17,600 in bitcoin per system — a total of about $76,280, according to analysis by Armor. The bitcoin wallet for the ransom for the city had not been used at this time, the researchers say, indicating the city has kept its vow not to pay.

Most of Baltimore's servers were shut down as officials investigated the attack last week, but its 911 and 311 systems were not hit, according to reporting by The Baltimore Sun. When the attack was spotted, employees at City Hall were told to unplug Ethernet cables and shut down their computers and other devices to stem the spread of the malware, Baltimore city councilman Ryan Dorsey told the Sun

Efforts today to reach some Baltimore city officials, including the office of the city's newly named mayor, Bernard C. Jack Young, were unsuccessful in several cases, in part because email is down for many employees, and several departments are instead using Google Voice voicemail to get messages. 

A spokesperson for Baltimore City Council Member Zeke Cohen, with whom Dark Reading was able to contact, said Cohen's office did not have any information on the tweet, nor could they verify whether the information and documents in the screenshot are from the information encrypted by the ransomware attackers.

Security expert John Bambenek, director of cybersecurity research at ThreatStop, says the tweet looks relatively legitimate. "Either someone spent real effort trying to find documents from public sources or it's our guy. Either way, he just put himself on the menu for the FBI if he's not," Bambenek says.

'Hurry Up!'
Armor said the Robbinhood ransom note also warns the city not to call the FBI, or risk the attackers going away and leaving the files encrypted. "We've watching you for days and we've worked on your systems to gain full access to your company and bypass all of your protections," the ransom note said, specifying payment within four days or the fee would increase. After 10 days, the data would no longer be recoverable, the note said, according to Armor.

"We won't talk more. All we know is MONEY! Hurry up! Tik Tak, Tik Tak, Tik Tak!" the note read, according to Armor.

The same ransomware recently hit the city of Greenville, N.C., as well as several power companies in India last month, according to the security firm.

Meanwhile, Baltimore's ransomware attack is one of 22 against state and local government entities so far in 2019, Armor notes. Other victims including Washington, Pennsylvania; Amarillo, Texas; Cleveland Airport, Cleveland, Ohio; Augusta City Center, Augusta, Maine; Stuart, Florida; Imperial County, California; Garfield County, Utah; Greenville, North Carolina; Albany, New York; Jackson County, Georgia; Schools System of Taos, New Mexico; Del Rio, Texas; Atlanta, Georgia; and Leominster, Massachusetts.

Related Content: 

 

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
cdhpl
50%
50%
cdhpl,
User Rank: Apprentice
6/9/2019 | 6:12:38 AM
Re: And again and again.............
This is a news site and your blog theme is nice.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
5/15/2019 | 3:49:55 PM
And again and again.............
Disaster Recovery Plan ----- ever hear of one?  Continuity?  Plan?  Restoration protocol?  That big binder when everything goes down and has to be restarted in precise sequence?  Or just wing it and hope the servers stay up all of the time.  Seems to be the later all of the time.  Sad, so sad comment on our trade. 
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27660
PUBLISHED: 2020-11-30
SQL injection vulnerability in request.cgi in Synology SafeAccess before 1.2.3-0234 allows remote attackers to execute arbitrary SQL commands via the domain parameter.
CVE-2020-27659
PUBLISHED: 2020-11-30
Multiple cross-site scripting (XSS) vulnerabilities in Synology SafeAccess before 1.2.3-0234 allow remote attackers to inject arbitrary web script or HTML via the (1) domain or (2) profile parameter.
CVE-2020-29127
PUBLISHED: 2020-11-30
An issue was discovered on Fujitsu Eternus Storage DX200 S4 devices through 2020-11-25. After logging into the portal as a root user (using any web browser), the portal can be accessed with root privileges when the URI cgi-bin/csp?cspid=&csppage=cgi_PgOverview&csplang=en is visit...
CVE-2020-25624
PUBLISHED: 2020-11-30
hw/usb/hcd-ohci.c in QEMU 5.0.0 has a stack-based buffer over-read via values obtained from the host controller driver.
CVE-2020-29378
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. It is possible to elevate the privilege of a CLI user (to full administrative access) by using the password [email protected]#y$z%x6x7q8c9z) for the e...