The Baltimore Ransomware Attack: A Look Back

Share This Post

Cyberattacks have become commonplace in today’s world. Most of these attacks never reach the news cycle, and, outside of the circles that monitor these occurrences, few people even know about them. However, when an attack targets a city in the United States—and does so successfully and viciously—all eyes are quick to focus on it. One such attack happened just recently. The government of the city of Baltimore fell victim to a ransomware attack which caused massive damage not only to their infrastructure, but also to the city’s reputation. This blogpost will examine the Baltimore ransomware attack in detail in order to better understand how and why it happened as well as what can be done to protect you and your company from a similar attack.

Baltimore Ransomware: What Happened?

The incident that became known as the Baltimore ransomware attack occurred in May of 2019 when a ransomware called “RobbinHood” infiltrated Baltimore’s servers. Ransomwares are types of malware (software designed with an intention to cause damage to a computer infrastructure) used to extort money from victims by threatening to either block their access to a system or release private data to the public internet unless a ransom is paid. By encrypting the victims’ files, these attacks make it nearly impossible to recover the data without actually paying the culprits the sum they request.

In Baltimore, the initial attack resulted in most of the city government’s computer systems being taken offline. Hackers demanded payment of 13 bitcoin (over $76000) to restore their access to the internet. The note left by the hackers also threatened to increase the ransom within four days and permanently delete the data if their requirements were not met within ten days. The mayor of Baltimore refused to meet these demands. Whether or not this was a wise decision is yet to be determined.

The Consequences of the Baltimore Ransomware Attack

The attack had a significant negative impact on the Baltimore real estate market. Some 1,500 pending home sales were delayed when the system went down. Additionally, city officials had to introduce workarounds for people to be able to pay their water bills and traffic tickets, since the credit card system was knocked out as well. It is thought that the hackers may have leaked some private documents, and even phone lines were affected. Overall, every Baltimore city government department (except police, fire, and emergency response systems—either these were held to a higher security standard, or the attack was limited to avoid complete chaos in the city) was impacted by this cyberattack.

As of early June 2019, only a third of Baltimore’s government employees have had their computer access restored. The rest are still locked out. And, since baltimorecity.gov emails have been unavailable since the attack started, many employees resorted to creating gmail accounts to circumvent that part of the problem. The mass creation of gmail accounts triggered Google’s defense systems which blocked those accounts in order to prevent spam or fraud. Later, when they learned about the attack, Google unblocked the accounts; however, this obstacle added another issue to the hailstorm of problems that Baltimore was dealing with at the time.

In the end, the estimated cost of the Baltimore ransomware attack was over $18.2 million. Some think this number might increase before all systems are restored.

How Was the Attack Conducted?

The malware used in this attack is a fairly new piece of software called RobbinHood. While most ransomware relies on spam to distribute itself, RobbinHood uses various other methods like hacked remote desktops of Trojans.

When RobbinHood is initiated on an infected computer, it immediately disconnects the computer from the network. Then, it stops all services such as antivirus protection and access to mail servers and databases. After clearing logs and disabling Windows automatic repair, it starts encrypting the files on each system. RobbinHood also creates ransom notes and accompanying documents explaining what has happened on every affected machine.
At the outset of the attack, it was believed that the RobbinHood ransomware was used along with EternalBlue, a NSA-developed self-propagating tool which targets Microsoft windows operating systems. The EternalBlue code was leaked online in 2017 by an unknown person or group of people using the alias ShadowBrokers, and it has been used multiple times since then to execute extremely destructive cyberattacks all over the world. Russia’s NotPetya and North Korea’s WannaCry are two examples of attacks that ended up costing businesses and governments billions of dollars.

Baltimore Ransomware: Who is to Blame?

Baltimore City leaders were very quick to blame the NSA since EternalBlue, the tool which the NSA had managed to “lose,” was thought to be the distribution method for the RobbinHood malware. The NSA denied responsibility for the attack, claiming that Baltimore had more than two years to prepare for it by patching their servers. The NSA had warned Microsoft about the leak, and they had already patched the vulnerability exploited by the tool. 

Later, it was discovered that the EternalBlue code was not actually contained in the Baltimore ransomware code, although there is still a possibility that it was used to help propagate the malware. 

We still don’t know exactly who conducted this attack. It will also take some time before we can access and analyze all of the details of this cybercrime.

Baltimore’s Lack of IT security

Baltimore’s inadequate IT practices made them susceptible to this attack. The city did not have a centralized technology budget, and they chose not to spend money on cyberattack insurance. 

More importantly, Microsoft released the security patch that would have blocked this attack back in 2017. The weakness exploited by the hackers only works on machines running Windows software that is two years out of date. The city of Baltimore should have never allowed their staff to be using this software in the first place. Baltimore should have been better prepared. Hopefully, they have learned from their mistakes—and we can too.

The Ever-Growing Need for Regular Backups

There is no reason not to have a proper backup system in place when running any kind of business, let alone a city’s entire governmental infrastructure. If the city of Baltimore had backed up their data safely, they could have restored all the lost data fairly quickly. Sure, there would still have been some system downtime, but the amount of time and money lost would not have come close to the impact this attack had.

Given today’s easy access to public clouds like AWS, it is easier than ever to have your data securely stored away. Systems like AWS GovCloud, a region designed specifically for those who need to meet special requirements and compliance standards are utilized heavily by various government agencies and departments for security purposes. Baltimore and other unprotected cities, states, and public agencies should be considering implementing these going forward.

The Best Ammo to Disrupt Ransomware: take regular backups and have a rapid DR plan in place

Ensuring that your organization has a cloud backup and cloud disaster recovery plan in place before ransomware hits are the only foolproof ways to keep control of your data without giving in to demands. Backup and disaster recovery also protect your organization from a host of other disaster scenarios such as human error, malicious insiders, weather, AWS region outage and bugs. N2WS Backup & Recovery provides Enterprise customers with flexible recovery along with the flexibility to perform both cross account and cross region backup which is essential in protecting your mission critical data. You can trial N2WS Backup & Recovery which is fully functional and free for 30-days.


Looking back at this costly, painful, and embarrassing mistake, it is quite clear that its cause is Baltimore’s failure to protect itself. This is shocking, considering that the cities of Atlanta and San Antonio were also recently hit with ransomware attacks—events that should have alerted all cities’ governments to their vulnerabilities. Regardless of Baltimore’s budgetary constraints, their IT staff should have patched their servers. They should now know to keep secure backups walled off in order to recover from any kind of attack.

Whether or not Baltimore has learned from its mistakes, we have all been provided with a reminder of what can happen when security is ignored.

Next step

The easier way to recover cloud workloads

Allowed us to save over $1 million in the management of AWS EBS snapshots...

N2WS vs AWS Backup

Why chose N2WS over AWS Backup? Find out the critical differences here.

N2WS in comparison to AWS Backup, offers a single console to manage backups across accounts or clouds. Here is a stylized screenshot of the N2WS dashboard.