Baltimore

Should Baltimore Pay Ransom to the Hackers Holding City Computers Hostage?

The city’s systems have been down since May 7, with no end in sight.

|

Baltimore's city computers are still down.

They've been down since May 7, when the city learned that the ransomware known as RobbinHood had infected many of its computer systems and encrypted their files. To restore the data, the city was given four days to pay three Bitcoins—about $23,000 at today's prices.

The city did not respond by the deadline. So the ransom increased to 13 Bitcoins—about $100,000—with a new deadline of May 17.

Baltimore again refused to pay. The second deadline also passed. Predictably, computer chaos continued. The city's email, voicemail, and some websites were down. Its online bill payment system was offline and a database of parking fines was inaccessible. Permits could not be issued, text alerts could not be sent, and real estate transactions, including home sales, could not be processed.

The news isn't all bad. Baltimore is also having problems collecting property taxes, giving financially strapped homeowners a few extra weeks of tax relief. The city also couldn't update its controversial "gun offender" registry, which requires anyone convicted of certain firearm-related crimes to register with the police commissioner for three years. (Among the crimes requiring registration: carrying a handgun without a permit, manufacturing unapproved handguns, and possessing "assault pistols." Baltimore has proven more diligent at curbing Second Amendment rights than at securing its Windows PCs.)

Should the city pay the ransom? Mayor Jack Young, a Democrat, was firmly against the idea at first. "That's just like us rewarding bank robbers for robbing banks," he told the press. "No, we're not going to pay a ransom."

But now the mayor is signaling some flexibility. Asked again this week about whether Baltimore would pay the ransom, Young told the interviewer: "To move the city forward I might think about it."

If Baltimore were a private company, with its annual budget of around $3.5 billion, it likely would have paid the modest ransom of three Bitcoins to recover its computers (and then secured its systems to prevent a repeat). "Many consumers opt to pay rather than lose their precious photo and video memories, financial records, and other files they value," an F-Secure report says. A ProPublica article last week revealed that outside consultants hired by victims often just pay the ransom (sometimes negotiating discounts or extensions for their clients).

Even the FBI has endorsed this approach. "To be honest, we often advise people just to pay the ransom," the assistant special agent in charge of the FBI's cyber program said at a Boston security conference, according to The Security Ledger. The bureau endorses the payoffs, the agent said, because "the ransomware is that good."

But when the computer systems held hostage belong to the government, a different set of standards seems to be applied.

A Slate article this week argues that it's "ethically" a "bad idea" for Baltimore to pay the ransom. "Public entities, like city governments and police departments, have a particular responsibility to protect the public good by doing the slow, hard, expensive work of restoring and securing their systems rather than taking the easy way out—which will, in the end, only make everything harder," the author says. A Baltimore Sun editorial echoes this view, saying the city "shouldn't pay the ransom to end the City Hall hack."

This argument suggests that public officials must act more "ethically" than the private sector—that is, they should set a virtuous example for the rest of us to follow.

If we're given a choice between a government that's virtuous and one that's not, most of us would reasonably choose the former. But in Baltimore, that ship may have sailed long ago. This is the city where a squad of police officers took, in the words of The New York Times, "every opportunity to rob those they were supposed to be policing or protecting, and barely bothering to cover up their deeds." One supervisor instructed officers to carry a toy gun in case they found themselves "in a jam" and needed to plant one. Baltimore's previous mayor, Catherine Pugh, quit earlier this month amidst a bizarre scandal involving $700,000 in payments from city-linked businesses for her self-published children's books; Maryland's governor has asked for a criminal investigation.

Whatever Baltimore decides, it's not alone. Cloud security company Armor reports that so far this year, there have been 22 known ransomware attacks against state and local governments. The affected municipalities include Amarillo, Texas; Augusta, Maine; Imperial County, California; Garfield County, Utah; Greenville, North Carolina; Albany, New York; Atlanta, Georgia; and the Cleveland Airport. A recent ransomware analysis conducted by Recorded Future, a real-time threat intelligence firm, suggests that 45 percent of all public and private organizations targeted by such attacks pay the ransom, but only 17 percent of state and local governments did.

Baltimore could have been better prepared: Its 911 dispatch system was taken offline in March 2018 in what turned out to be a ransomware attack. But even after that experience, Baltimore neglected to purchase an insurance policy to cover cybersecurity incidents. A Sophos Naked Security report says that the city council was told "last year at a budget hearing that the city needed one, but it didn't happen." Instead, Young—then the council president, now the mayor—called for a feasibility study for a municipal-run broadband network. (Given Baltimore's evident technical expertise, this could only end well.)

For now, at least, Baltimore is experimenting with manual workarounds for transactions typically done electronically. The city has declined to say how long it will take for services to return to normal, though most guesses say it will be at least a few more weeks. The mayor's most recent press release offers no details, instead saying laconically: "I am not able to provide you with an exact timeline on when all systems will be restored."

NEXT: Backers of California's Paper Receipt Crackdown Overhype 'Skip the Slip'

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. I would not recommend paying the ransom. What I would recommend is firing the IT Director and hiring a system’s engineer who can create a backup regiment that protects you against these unfortunate incidents.

    1. Yes, this. You also need to invalidate accounts and stuff, because you’ve probably lost some passwords to the blackmailers.

      And the new IT director needs the authority to fire any Baltimore employee who does not follow security rules. No surfing for porn, no installing browser bars, etc. I don’t give a shit if it’s the mayor.

      1. Don’t you think that $23,000 is a small price to pay? I don’t know about municipalities, but private companies rarely have recurring ransom hacks because they better prepare after the first.

        1. It’s a small monetary price to pay but as a network engineer for a large global manufacturing company, the thought of being on the phone with a stranger in India and putting in decrypt keys into my servers to get my data back worries me greatly. And what guarantee do you have that you’ll get your data back?

          My opinion is you take your lumps and learn from the experience. Only in the most extreme circumstances would I entertain paying the ransom.

          But yes, if you had an ironclad guarantee you’d get your data back without introducing any unknown secondary effects onto your network, then $23,000 is a pittance.

          1. I just mean that the government doesn’t need to abide by a seemingly arbitrary “no negotiation with terrorists” moral standard in this case.

            1. Shit. That’s hilarious. Any pol who paid ransom would be crucified. It’s been that way since the 80’s.
              And it’s not arbitrary: it was done back when there was a rash of kidnappings and hijackings, and the idea is that you get more of the behavior that you reward. It also worked: kidnappings by terrorist groups plummeted. Now they just kill the hostages.

              1. But why is this a standard held only to the government?

            2. The “no negotiation with terrorists” isn’t an arbitrary moral standard. If people like these find they make money from it, you’ll get more of it. What this does show, is how incompetent the government IT staff is. Backup of your data to a tape on the shelf or in the tape library is so basic, there should be inquiries into why it wasn’t done.

              And consider, why can’t the city issue permits and why can’t people sell real estate without the city involved? My experience is the county government is the one responsible to keep the real estate property records. They can always go back to the physical system that existed before computers. And aren’t those physical records kept?

          2. You’d pay the money. For any enterprise level systems it is way cheaper to pay 20 grand than it is to restore from backup. Being down for even one day costs way more than that.

            When I was in charge of IT for a midsized company, it cost us a quarter million per day if our systems were down. Down a week without an alternative and we’d default on 4.5 billion dollars worth of assets.

            We had live, real-time failover for every critical system. And nobody outside of IT could put a thumb drive in a USB port and corrupt anything important. Not even the CEO (ok, particularly not the CEO).

            An operation the size of Baltimore should be a lot more robust than they are. And they shouldn’t have their head up their rear end. They are the government – they can expend as much as they want chasing these assholes down after they are back up.

            But government is one screwed up set of incentives. Someone upthread mentioned that they were warned about their security – specifically about ransomware – and chose to do nothing. Because their costs are not their costs. And their productivity is not going to a bottom line of any sort – in fact, being more productive means less power – because you have less employees, less union members voting for you, etc.

            When the IRS had their email issues with phantom hard drive failures and .PST files, I couldn’t believe that an organization of that size was run that incompetently. Baltimore just gave them the government version of “Hold my beer!”

            1. For any enterprise level systems it is way cheaper to pay 20 grand than it is to restore from backup.

              Bullshit. Paying that 20 grand means that perps will take you down over and over until you clean up your security, which you still need to do anyway.

              -jcr

              1. I’m sure that just the parking tickets in the database are worth way more than 20k. Sure, fix the system, but they want their data back, and it’s really stupid that it’s not backed up.

              2. “Once you pay the Danegeld, you’ll never be rid of the Dane.”

            2. What do you expect from a bunch of poorly-educated Democrats?

          3. There is no guarantee, but if the hackers fail to restore the data, no one else is going to ever pay. It is in their interest to see the data is gotten back.

            1. You make it sound like all the hackers know each other. If there are thousands of rogue groups, they don’t have much incentive to deliver what they promise, or not to install new malware when they do.

              Don’t pay. Start over.

            2. It is, indeed, against a ransomware flogger’s interest to follow through properly if the ransom is paid. That encourages the victim to treat the event as a “one-off” and skip the absolutely necessary and very expensive work to secure the network and systems. That, of course, leaves the victim open to future demands.

              1. Did you mean “IN a ransomware flogger’s interest”?

    2. I haven’t read the full story yet, but it’s highly possible that Baltimore refused to pay for a robust disaster recovery system. Elected leaders may be who needs a visit to the proverbial chopping block.

      1. If Baltimore had adequate off-line backups they probably would have been able to wipe the affected systems and resume business by now. That they cannot says a lot about their information assurance practices and disaster preparedness.

      2. Preet was fired a few years ago, dude, you don’t have to insert “proverbial”.

    3. Has anyone considered the possibility that it’s the IT department behind the ransom hack?

    4. Hackers like these should be summarily executed. After being subject to torture. Libertarian principles need not apply to these parasites.

    5. Exactly. Back when I was at my first sysadmin job, a good friend of mine used to say that a sysadmin needs to do two things: read manual pages, and make good backups. Everything else flows from that.

  2. Its online bill payment system was offline and a database of parking fines was inaccessible.

    A tragedy for the people of Baltimore, to be sure.

    1. and this is what they mean by “city services”?

  3. Sigh. What you do, Baltimore, is cut your losses. Disconnect your systems from the networks. Reinstall all operating systems, restore data backups. CHANGE ALL YOUR FUCKING PASSWORDS! Invalidate all user accounts. Yes, it’s a pain. But better than letting some criminals, I mean criminals other than the politicians, run your city.

    This stuff may flummox the elder lady unsure about computers, but if it’s flummoxing your IT department, fire them immediately and get people with a brain.

    Again, yes it will be a pain. But it’s not blackmail. They do NOT have you by the short and curlies. Immediately turn off your machines, invalidate all accounts and passwords, and restore the software and data. It’s expensive and aggravating, but not nearly as expensive and aggravating as paying the ransom to some paper tigers.

    And then get yourself a competent security officer.

    1. restore data backups.

      Per my note above, it’s possible their backups were online and were encrypted by the ransomware as well. If you don’t keep historical backups offline in some mode– either air gapped or in a very secure DMZ, then you’re proper fucked.

      1. Ugh. I thought it was standard procedure to keep backups offline and offsite.

        1. It’s Baltimore, Brandybuck… Baltimore.

        2. It is in organizations with competent employees. This is city government, so don’t hold your breath.

          -jcr

          1. Quite a few organizations with competent employees have management that considers information technology “not our core business” and denies adequate funding. Proper backup operation and management is not cheap, and is rarely needed. It is likely to be seen as a costly item to be eliminated, and not missed until a disaster requires it. The management mindset here is not much different from NASA’s when it was noted that O-rings in the space shuttle solid rocket booster leaked a bit under stress.

            1. This is sooooo true.

              It takes a disaster to wake up the board.

              We had an ice storm that took down our office for a week – no power to the building at all. We didn’t have power backup – and the ice took down a bunch of really big trees that blocked the access road.

              After that event I was able to get some expensive batteries and some offsite failover capabilities.

              Years later we were down for a hurricane. Power out for a week plus. I had full failover capability in place and we shipped critical employees to a facility in another state where I was able to set up phone and data access for them after 48 hours.

              After that I was able to get the budget for a generator that was able to run the entire business, contracts with emergency office space providers, double offsite failover capability for all systems and a fully redundant telephony system. The next two hurricanes that took our area down didn’t even register as a blip. We even had contracts in place to deliver fuel for the generator, so we didn’t have to stand in line waiting for fuel.

              But absent those disasters and near disasters, I never would have gotten a penny.

              And for data security – we put a bunch of stuff in place to prevent people from stealing our extremely valuable data (hundreds of millions of dollars worth to the right buyer) – but I didn’t win the argument on the real way to enact security. We were hardened against hacking – but still undoubtedly vulnerable against determined attackers in some way. But it would have taken an extreme level of sophistication and intricate knowledge of our proprietary in-house systems.

              Meanwhile, you could just drive up to the back door, knock it in with a sledgehammer, knock a hole in the wall to the data center, thereby bypassing all that physical access security system stuff, and walk out with the backup tape robotic deck and the hard drives from the SAN…. all in less than 5 minutes.

              Nobody ever took that threat seriously, even though if you were going to steal our database, this was by far the easiest way to do it and the least likely to get you caught, if you were careful and quick.

      2. I actually was able to get an off-network terminal approved at work recently that’s basically acting as a glorified storage drive and primary backup for my files. All I do is just switch the monitor cables and copy updates from my main folders to it on a regular basis.

    2. But better than letting some criminals, I mean criminals other than the politicians, run your city.

      Citation missing.

      As a libertarian, I am firmly of the belief that government will generally make a problem worse. If a problem is bad enough, people are capable of doing cost/benefit analysis and figuring out how to solve problems on their own in a cost-effective manner. If they turn to government to solve a particular problem, it’s because they’ve done the cost/benefit analysis and decided it’s not worth it – but if they’re getting free money from the government….well, suddenly money is no object. Therefore, the main reason (modern, paternalistic) government exists is to solve problems that people don’t consider worth solving. And some people wonder why government doesn’t seem to work very well – it’s been given a logically impossible task.

      “None of us individually can afford adequate health care, but if we pool all our money together we can collectively afford adequate health care for all”, says Bernie Sanders. It’s like the old guy at the 10% off sale asking if it’s 10% off each individual item or 10% off the total because that makes a big difference. No, you moron, math does not work that way.

      1. +infinity. 🙂

      2. “Therefore, the main reason (modern, paternalistic) government exists is to solve problems that people don’t consider worth solving.”

        Pithy – and worthy of a bumper sticker

        1. Not to limit it to bumper sticker worthy, just that it’d make a good one

  4. back to gaslights and cobblestones, Baltimore

  5. Perhaps ransomware attacks would decrease if victims contributed to a fund to hire hitmen…

    1. Just track where the ransom bitcoins are spent.

    2. Nuke India.

    3. When these people are caught, torture and kill them.

  6. Baltimore is also having problems collecting property taxes, giving financially strapped homeowners a few extra weeks of tax relief.

    Guarantee you that fees and fines still accrue.

  7. This argument suggests that public officials must act more “ethically” than the private sector

    We should all follow the example set by the city of Chicago.

    1. the argument suggesting they must act less ethically rings more true to them

  8. More like a bank robber robbing Hitler.

  9. “”If we’re given a choice between a government that’s virtuous and one that’s not, most of us would reasonably choose the former.”‘

    Not according to the way people vote. Every bad politician was elected, many reelected.

    1. “My guy’s great. It’s all the other pollies that are the problem.”

      1. Exactly.

    2. The question is have we actually ever been given that choice?

      1. The choice has almost always been between a shit sandwich or douchebag . This is why their abilities should be greatly limited.

        1. Well if I could change one thing about US voting (actually, two things):

          1. A winner has to get at least 50% of all registered/eligible voters, not just a majority of votes cast. Otherwise, try again.

          2. Periodically, all voters get to vote yes or no to retain all the elected officials as a group (and those tossed out are ineligible to run again).

          1. I get the theory, but I think both would just end up giving even more power to unelected, career bureaucrats

            1. And cheating progtard democrats.

          2. I’d prefer making voter registration markedly more difficult than it is currently. Do that and a lot of problems will get improved.

            1. Or a minor flogging to get to vote. Ensures only people with strongly held positions on a topic vote on it.

              1. Only property owners get to vote. Or at least their vote counts x3.

    3. The most virtuous people are the ones you least want running your life. “Do unto others as you would have done unto you” is a terrible rule at the BDSM club.

      1. Indeed.

      2. This has always been my objection to the golden rule

      3. CS Lewis said it best, “It would be better to live under robber barons than under omnipotent moral busybodies. The robber baron’s cruelty may sometimes sleep, his cupidity may at some point be satiated; but those who torment us for our own good will torment us without end for they do so with the approval of their own conscience.”

  10. “Slow, hard, and expensive work.” Well, slow and expensive anyway.

  11. No, you don’t pay. You fire the IT guy and hire someone who knows how to secure systems. Then you institute rules and policies that fire people who introduce non-official software into the system.

    We had a guy who brought his phone into the vault where I work. Security clearance suspended for a few months and since he couldn’t work, he was laid off. Idiot. And the phone? It was put into a bag and smashed with a hammer. Its in a zip-loc bag taped to the front door as an object lesson.

    1. Ransom payment, or not, is a minor issue. Even after paying it, and even if it gets the data back, it is temporary. It does not fix the underlying problem. After a major penetration the only truly safe action is to replace every single piece of computer equipment in the network and reinstall every application from either verified backups (if they have them – it appears Baltimore may not) or new media, and procure and install adequate network and device protection and intrusion detection. And even then pray that the replacement hardware and software supply chain is uncompromising. Cities probably are not nation-state targets, but accidents happen. Baltimore might reasonably skip hardware replacement, but if they are like many public and private organizations it probably is due for replacement anyhow, based on age and length of service.

      To those who recommend beginning with a purge: it is entirely possible, maybe even likely that the “IT guy” (who might well be a woman) is less the problem than the elected officials who controlled the purse strings when they still had some. Firing someone who may have extensive and deep knowledge of the systems could be the least intelligent of all possible beginnings. Hiring a consultant, if a good one can be found, is a requirement, however. The existing staff probably knows a lot about the systems in place, but is likely to know much less about their vulnerabilities and those of the network that supports them. An outsider with a different and more comprehensive perspective should be able to fill those gaps.

      IT and its management and staff usually are thought of as cost centers and often subjected to budgetary constraints that tighten by 5% to 15% annually. As a consequence, they often are understaffed to the point where even essential work is deferred or canceled. Purchase of enterprise software, including what is necessary to protect systems, is subject to lengthy review and economic analysis to ensure cost effectiveness and reduce or eliminate waste. Requirements often are modified to prevent interference with “user experience,” resulting in less effective protection. (An example is HTML email, allowing easy forgery of bogus email and embedded links that when clicked infect the system with malware or collect user identification and authentication details – ask John Podesta how that works).

      The bottom line is that computer and network security is serious, expensive, essential to any modern organization, and commonly hogtied in practice. When a network is penetrated and seriously impaired, ransom payment is at best a beginning of a major project. The rest of the necessary work is likely to cost orders of magnitude more than the ransom. The risk of paying ransom for at best temporary relief is that those who control the money – in this case the mayor and council – will think of it as a solution to the problem, rather than a temporary expedient, and fail to authorize the work necessary to (probably) prevent future occurrences.

  12. Didn’t they figure out that Bitcoin transactions aren’t anonymous, and stick around forever? Pay the the coin, and did into the block chain ledger…

    1. And when they trace the originating IP to a former KGB building in Estonia?

      1. Cruise missile.

        1. Overkill. Surely there are hitmen in Estonia. They might even accept payment in bitcoin.

  13. Baltimore is about as fucked up as polio…and I thought Chicago was bad.
    Chicago has nothing on Baltimore.

  14. Damn shame they did not kidnap the actual city government, and not just the city IT resources. I suspect a majority of Balitmore residents would pay money NOT to get them back.

    1. I’d pay to see them go back to pencil and paper. They’d be less dangerous in every conceivable way.

  15. Paying is the second stupidest thing they can do.

    -jcr

  16. Some brave soul should infect a city or corporation with ransomware and then, when paid, renege on the deal.
    One or two prominent breaches of trust like that, and ransomware will cease being effective.
    Source: 9/11 (has there been a successful hijacking since?)

    1. One or two prominent breaches of trust like that, and ransomware will cease being effective.

      Around 50% of ransomware attacks that are paid never get the decryption key.

    2. Hikackings were already extremely rare and even more rarely successful long before 9/11. All that did was make an already rare event a bit more rare.

      They heyday of hijackings was the 1960’s and ’70’s

    3. The most effective thing to do would be to publicly execute the hackers. Do that a few times and the problem is solved.

  17. Why target a depressed city? I feel bad for the people stuck buying homes in Baltimore that cannot proceed because of this.

    1. *does bad Karl Marxs impersonation*
      I feel worse for the one’s selling.

    2. It’s like why steal that 94 Accord. Because you can, easily. Just like lame-ass Baltimore.

  18. I refuse to feel bad for a city government having its servers hacked, especially Baltimore. Computer technology has only served to accelerate the speed at which people have their rights violated. There is a dehumanizing aspect to having a computer tabulate and automatically bill you into eternity for any offense they can dream-up involving a piece of tech they can set on autopilot. The city isn’t any less efficient for not having their computers. In fact, it may result in a kinder, saner government, if only because the in-born laziness of government employment will strip much of the incentive from employees to manually harass people endlessly, the way a computer can. Go back to carbon paper and pencils, Baltimore. The city could only improve from it.

  19. “The city also couldn’t update its controversial “gun offender” registry, which requires anyone convicted of certain firearm-related crimes to register with the police commissioner for three years. (Among the crimes requiring registration: carrying a handgun without a permit, manufacturing unapproved handguns, and possessing “assault pistols.” Baltimore has proven more diligent at curbing Second Amendment rights than at securing its Windows PCs.)”

    How dedicated to shitting on the Constitution can they be if they’re not willing to pay $23,000 to continue to do so?

  20. […] Click here to view original story: Should Baltimore Pay Ransom to the Hackers Holding City Computers… […]

  21. Something something dangeld…

  22. Baltimore has had Democratic mayors since 1968.

  23. for money visit this site…… online-3.com

  24. Tell those demanding ransom to take a number as if it were the DMV. They will be die of old age before their number is called.

  25. I don’t think hackers should get any penny from Government, they should be tracked down and punished. We also need to be safe by understanding these website security threats so that this might never happen with us.

Please to post comments

Comments are closed.