8 days after cyberattack, Baltimore’s network still hobbled

BALTIMORE (AP) — More than a week after a cyberattack hobbled Baltimore’s computer network, city officials said Wednesday they can’t predict when its overall system will be up and running and continued to give only the broadest outlines of the problem.

Baltimore’s government rushed to take down most computer servers on May 7 after its network was hit by ransomware. Functions like 911 and EMS dispatch systems weren’t affected, officials say, but after eight days, online payments, billing systems and email are still down. Finance department employees can only accept checks or money orders.

No property transactions have been conducted since the attack, exasperating home sellers and real estate professionals in the city of over 600,000. Most major title insurance companies have even prohibited their agents from issuing policies for properties in Baltimore, according to the Greater Baltimore Board of Realtors.

Citing an ongoing criminal investigation, Baltimore’s information technology boss Frank Johnson and other city leaders said Wednesday they could provide no specifics about the attack from the ransomware variant RobbinHood or realistically forecast when the various hobbled layers of the city’s network would be back up.

“Anybody that’s in this business will tell you that as you learn more those plans change by the minute. They are incredibly fluid,” said Johnson, stressing that city employees, expert consultants and others were working “round the clock” to mend the breached network.

The FBI’s cyber squad agents have been helping employees in Maryland’s biggest city try to determine the source and extent of the latest attack.

Johnson’s tenure has now included two major breaches to the city’s computer systems. This month’s problems come just over a year since another ransomware attack slammed Baltimore’s 911 dispatch system, prompting a worrisome 17-hour shutdown of automated emergency dispatching. The March 2018 attack required operating the critical 911 service in manual mode.

Johnson is one of the city’s highest paid employees, earning $250,000 a year. That’s more than the mayor, the city’s top prosecutor and the health commissioner are paid. This latest attack came about a week after the firing of a city employee who, the inspector general said, had downloaded thousands of sexually explicit images onto his work computer during working hours.

While all municipalities are menaced by malware, cybersecurity experts say organizations that fall victim to such attacks often haven’t done a thorough job of patching systems regularly.

Asher DeMetz, lead security consultant for technology company Sungard Availability Services, suggested that eight days was a long time for a network to remain down.

“The City of Baltimore should have been prepared with a recovery strategy and been able to recover within much less time. That time would be dictated by a risk assessment guiding how long they can afford to be down,” DeMetz said in an email. “They should have been ready, especially after the previous attack, to recover from ransomware.”

City Solicitor Andre Davis said Baltimore was working “hand in glove” with the FBI, Microsoft officials, and expert contractors that he and other officials declined to identify. Before TV news crews, Davis likened the cyberattack to a brutal assault, a comparison that many residents can clearly understand in a city struggling to bring down one of urban America’s highest rates of violent crime.

“My preferred way of thinking about it is: The city network was viciously assaulted by a culprit and seriously injured,” Davis said. Baltimore’s top lawyer portrayed the city network as an injured patient who has emerged from the ICU and faces a “long course of physical therapy.”

Baltimore authorities, who hope to prosecute the culprit behind the latest attack, said they were in close contact with counterparts in Atlanta. Last year, a ransomware attack significantly disrupted city operations there and caused millions of dollars in losses. In December, two Iranian men already indicted in New Jersey in connection with a broad cybercrime and extortion scheme were indicted on federal charges in Georgia related to that ransomware attack demanding payment for a decryption key.

It’s not clear what culprits are demanding from Baltimore’s City Hall.

“We’re not going to address or discuss in any way the ransom demand,” Davis said.