Please ensure Javascript is enabled for purposes of website accessibility

Cost of Baltimore ransomware attack so far: $18 million

Sheryl Goldstein

Sheryl Goldstein

Nearly a month after a ransomware attack crippled Baltimore government computer systems, only about 35% of city employees’ access is restored and the invasion has cost the city roughly $18 million.

The city’s technology department created a “safe environment” to start bringing systems back online, said Sheryl Goldstein, the mayor’s deputy chief of staff for operations, who is overseeing the recovery. It’s hoped that 90% of Baltimore’s 10,000 employees will have access to the city’s network by the end of the week.

“It’s within that safe environment that our computers are getting turned back on, that our email’s restored, and it’s within that environment that our applications and servers will be brought back once they’re secure and clean,” Goldstein said.

Mayor Bernard C. “Jack” Young, and several top officials updated reporters on the recovery progress on Tuesday at City Hall. They emphasized that the city is functioning and providing services despite the malware crippling the city government’s network.

Hackers took control of city computer systems, encrypting files, disrupting email and phone services on May 7. The hackers requested the city pay what amounts to between $75,000 and $80,000 in Bitcoin cryptocurrency in exchange for restoring the computer network.

“The federal investigators have advised us not to pay the ransom. The data shows you have less than a 50/50 chance of getting your data back if you pay the ransom, and even if you do pay the ransom you have to go within your system and make sure they’re out of it,” Goldstein said.

Many private companies and cities have suffered similar malware attacks and paid the ransom. Once access is returned, however, the data and applications are not always in great shape. In some cases putting the returned material back in working order was more expensive than the ransom.

It’s unclear how city computers were infected or what infected the network.  The New York Times reported late last month that the attack was undertaken with a malware weapon called EternalBlue. The malware was stolen from the National Security Agency, and according to the newspaper “dumped online in April 2017 by a still-unidentified group calling itself the Shadow Brokers.”

The NSA, headquartered a short drive away on the Baltimore-Washington Parkway, has tried to discredit the report.

Sen. Chris Van Hollen, Sen. Ben Cardin, Rep. Elijah E. Cummings, Rep. Dutch Ruppersberger, Rep. John Sarbanes and Rep. David Trone issued a joint statement on Monday following a briefing by the NSA on the cyberattack.

The federal lawmakers said they want to know who is responsible but dismissed reports the city’s been attacked by EternalBlue as conjecture.

“Yesterday, we heard that current evidence suggests the city’s network was infected via a phishing effort by malware known as RobbinHood. We urge against further speculation until the investigation is complete and look forward to sharing more as we learn more,” according to the statement.

Baltimore officials said they hope to complete a forensic investigation by next month. After the inquiry is finished city officials will discuss with law enforcement what information can be publicly released.

“We have a forensic investigation going on, we also have a criminal investigation going on, and we’re not able to disclose that information at this time because it’s part of an investigation,” Goldstein said.


To purchase a reprint of this article, contact [email protected].