“We won’t talk more, all we know is MONEY! Hurry up!” said the ransom note that confronted Baltimore, Maryland, officials on May 7, when hackers crippled government computers with a virus, taking the systems hostage.
The ongoing cyberattack has halted real-estate transactions and shut down Web sites for processing water bills and other services.
The horrors of ransomware — where cybercriminals break in, lock up computer data, then demand payments to restore access — have increasingly hobbled cities and municipalities across the globe in recent years.
The crisis in Baltimore, where officials have refused to pay the US$76,000 bitcoin ransom, follows similar incidents in Atlanta, Georgia; Newark, New Jersey; and San Diego and Los Angeles, California.
These cyberintrusions are expected to continue disrupting ill-prepared local governments and public services, with devastating financial impacts and potentially life-threatening consequences, experts said.
Any agency that depends on digitized records could be at risk, including emergency services, water utilities and other infrastructure, healthcare services, voting systems and public education.
“We have an exponentially increasing problem,” said Katie Moussouris, founder and CEO of Luta Security, which helps businesses and governments work with hackers to identify vulnerabilities. “We don’t have an exponentially increasing workforce. If we don’t see cities and towns ... start pouring a bunch of resources into hiring more people, we are going to see it happening over and over again.”
The mess in Baltimore has attracted particularly intense international scrutiny following a New York Times report suggesting the cybercriminals used a malware component that originated with the US National Security Agency.
The agency allegedly lost control of the tool, called EternalBlue, in 2017, enabling hackers to paralyze vulnerable towns and cities across the nation.
Security experts hope Baltimore’s ongoing crisis motivates municipalities to take these threats seriously. Baltimore leaders have estimated that the attack could cost at least US$18.2 million, from lost and delayed revenue and costs to restore infected systems.
Baltimore Mayor Bernard “Jack” Young has said the city would not pay the ransom, though at one point, he hinted he was considering paying it to “move the city forward.”
City agencies are especially ripe targets because they often maintain databases of vital and sensitive information while having constrained information security budgets and inadequate technological safeguards.
“Municipal governments and hospitals ... just don’t have the top cybersecurity out there, and the criminals know this,” said Jeff Kosseff, assistant professor of cybersecurity law at the US Naval Academy. “You can see loss of life happening if the hospitals are not able to function... What terrifies me is if it happens on a large scale.”
Disruptions to the functioning of ambulances, rescue squads, fire stations, waste collection and other services could all have serious human consequences, he said.
When a massive cyberattack hit the state of Colorado last year, the first step was to shut down 2,000 infected government workstations. The next task was more complicated: Figure out if people’s lives were in danger.
“That day one was brutal,” Colorado chief information security officer Deborah Blyth said, recounting the ransomware that afflicted the state transportation department and quickly sparked fears of harmful disruptions to traffic operations: “Right away, it was impossible to even understand the scope.”
In the coming years, cybercriminals will just repeat their attempts across governments until they find one that is vulnerable, University of Tulsa cybersecurity professor Tyler Moore said.
“Attackers have found a playbook that is working,” Moore said.
It is a playbook that remains profitable.
That is because some victims choose to pay, despite ethical concerns about capitulating to ransom demands and despite the fact that there is no guarantee of restored access. In some cases, paying bitcoins may be a cheaper and quicker resolution. One report suggested that cyberattackers have collected millions in ransom in recent years.
Even if major cities view Baltimore as a wake-up call and adopt reforms, “it wouldn’t shock me to see smaller cities roll the dice,” said Hannah Quay-de la Vallee, senior technologist at the Center for Democracy and Technology.
She said she was also concerned about educational institutions that have major budget challenges and systems with crucial personal data, such as students’ medical information and allergies and individual special needs plans.
The frustrating reality for information security leaders is that the technical solutions are known and easy to implement, if there is funding: Cities have to update their systems with available security patches and maintain effective data backups. Without patches, hackers can break in and demand money, and if officials do not have the data stored elsewhere, they have to choose between paying ransom or rebuilding systems.
“Those who are unwilling to pay the price to upgrade systems and people ... are going to pay the price one way or the other,” said Alan Shark, executive director of Public Technology Institute, which provides consulting services to governments.
Baltimore made the right decision refusing to pay, but the crisis could drag on for months as a result, Johns Hopkins computer science professor Avi Rubin said. “They don’t have a lot of the data... They are going to face a real challenge building up all the systems organically from scratch.”
In the Colorado attack, the malware hit the transportation department’s business services, but ultimately did not spread to road and traffic operations.
However, thousands of workers were forced offline, which meant the state had to communicate with employees by leaving printed handouts on their desks and scheduling conference calls, Blyth said.
The state eventually brought in the national guard to help.
Colorado has since adopted a range of new practices to prevent future attacks, Blyth said, adding that officials have thought through worst-case scenarios: disruptions to healthcare, prisons, emergency communications, traffic safety, fire departments.
“What if it was a broader impact — affecting multiple of those services at once?” she added.
Despite the challenges, Blyth remained confident that refusing the attackers’ demands was the right call. “We would not even think about paying the ransom. We didn’t want to contribute to what we knew was criminal behavior,” she said.
CONFRONTATION: The water cannon attack was the second this month on the Philippine supply boat ‘Unaizah May 4,’ after an incident on March 5 The China Coast Guard yesterday morning blocked a Philippine supply vessel and damaged it with water cannons near a reef off the Southeast Asian country, the Philippines said. The Philippine military released video of what it said was a nearly hour-long attack off the Second Thomas Shoal (Renai Shoal, 仁愛暗沙) in the contested South China Sea, where Chinese ships have unleashed water cannons and collided with Philippine vessels in similar standoffs in the past few months. The China Coast Guard and other vessels “once again harassed, blocked, deployed water cannons, and executed dangerous maneuvers” against a routine rotation and resupply mission to
GLOBAL COMBAT AIR PROGRAM: The potential purchasers would be limited to the 15 nations with which Tokyo has signed defense partnership and equipment transfer deals Japan’s Cabinet yesterday approved a plan to sell future next-generation fighter jets that it is developing with the UK and Italy to other nations, in the latest move away from the country’s post-World War II pacifist principles. The contentious decision to allow international arms sales is expected to help secure Japan’s role in the joint fighter jet project, and is part of a move to build up the Japanese arms industry and bolster its role in global security. The Cabinet also endorsed a revision to Japan’s arms equipment and technology transfer guidelines to allow coproduced lethal weapons to be sold to nations
Thousands of devotees, some in a state of trance, gathered at a Buddhist temple on the outskirts of Bangkok renowned for sacred tattoos known as Sak Yant, paying their respects to a revered monk who mastered the practice and seeking purification. The gathering at Wat Bang Phra Buddhist temple is part of a Thai Wai Khru ritual in which devotees pay homage to Luang Phor Pern, the temple’s formal abbot, who died in 2002. He had a reputation for refining and popularizing the temple’s Sak Yant tattoo style. The idea that tattoos confer magical powers has existed in many parts of Asia
ON ALERT: A Russian cruise missile crossed into Polish airspace for about 40 seconds, the Polish military said, adding that it is constantly monitoring the war to protect its airspace Ukraine’s capital, Kyiv, and the western region of Lviv early yesterday came under a “massive” Russian air attack, officials said, while a Russian cruise missile breached Polish airspace, the Polish military said. Russia and Ukraine have been engaged in a series of deadly aerial attacks, with yesterday’s strikes coming a day after the Russian military said it had seized the Ukrainian village of Ivanivske, west of Bakhmut. A militant attack on a Moscow concert hall on Friday that killed at least 133 people also became a new flash point between the two archrivals. “Explosions in the capital. Air defense is working. Do not