Lessons from
the RobbinHood
ransomware attack
on Baltimore

Author: Satta Sarmah Hightower

The RobbinHood ransomware attack that incapacitated Baltimore in May 2019 proved just how vulnerable municipal government systems are to malware. But awareness of the problem is only half the battle.

How does RobbinHood ransomware work?

RobbinHood is an especially sophisticated piece of ransomware—a type of malware that essentially holds a computer or computer system hostage. First, hackers infiltrate a system, usually through a phishing scam but sometimes through social engineering, security vulnerabilities or a brute force attack. Once inside, hackers encrypt files and leave a ransom note demanding payment—usually in Bitcoin—for a key that returns access. Because decryption keys are usually extremely difficult to recreate, some organizations pay the ransom to retrieve their data back or get their systems back online.

RobbinHood is extremely powerful: Some cybersecurity experts think that replicating its decryption key is impossible. And it's extremely malicious: It exploits a vulnerability in Microsoft code that tricks Windows into disabling security processes before allowing attackers to take control of a system and encrypt its critical data.

Any business or organization can be hit by a ransomware attack. Governments, though, are particularly vulnerable to ransomware attacks because they often use legacy systems that lack the advanced security capabilities to meet increasingly sophisticated security threats.

What happened in Baltimore?

The RobbinHood attack caught Baltimore off-guard and crippled the city's online systems, which used aging hardware and unpatched software. Essential services were unaffected, but the attack rendered many civic services inaccessible. The city was able to take most of its servers offline safely, but not before the attack paralyzed Baltimore's voicemail, its email and an online system used to pay water bills, property taxes and traffic tickets.

Hackers demanded 13 Bitcoins—worth about $76,000 at the time—to restore access to the city's systems. Mayor Bernard Young refused to pay. It took the city several weeks to restore and rebuild its servers, and several months to fully recover from the attack. The city spent $4.2 million on recovery efforts in the first three weeks after the attack; city budget officials estimated that the total cleanup cost could reach north of $18 million, including more than $8 million in potential lost or delayed revenue. And the city was criticized for having an unsustainable system with no plan in place to deal with cyber catastrophes.

How can businesses defend against ransomware attacks?

Municipal governments are still figuring out how to prevent attacks of this nature. In June, barely a year after RobbinHood crippled Baltimore, the city of Knoxville, TN was compromised by a ransomware attack that experts suspected could be traced to an email opened by a city employee.

Businesses facing similar threats can combat ransomware attacks by employing robust incident response services that include proactive security assessments, incident response planning expertise and round-the-clock threat intelligence and monitoring.

In addition to enlisting a managed services provider to enhance their security capabilities, organizations can take basic actions to strengthen their security posture, such as ensuring that their security systems are updated and strengthening access management for remote desktop protocols, which IT teams use to diagnose issues remotely. Ongoing cybersecurity training can also help employees avoid falling victim to the email phishing scams that give hackers access to their systems in the first place.

Learn how the Verizon Rapid Response Retainer service can help proactively manage your ransomware risk.

The author of this content is a paid contributor for Verizon.