Baltimore and the RobbinHood ransomware | Stormshield

Since the beginning of May, computer networks in the city of Baltimore (United States) have been paralyzed. This was due to a ransomware attack that locked down the government's 10,000 computers on site and is being investigated as a major cyber attack.

After Atlanta and San Antonio last year, the cyberattack on Baltimore confirms that cities are now targets like any other industry, as are businesses and public administrations. But then, why are we talking so much about Baltimore? How is it different from the others?


A high ransom amount

Firstly, because of the ransom amount; about $100,000. An important symbolic step, far from the $300 requested at the beginning of the WannaCry ransomware in 2017. Amounts that have therefore increased dramatically. The reasons? A higher level of organization and sophistication to these attacks than general ransomware campaigns and a trend towards cyberattacks on large organizations that cannot afford the luxury of business interruption. Sensitive industrial sectors, public services or hospitals are then on the front line. The latest industry figures estimate the average amount of ransoms paid per incident in the first quarter of this year at $13,000, compared to $7,000 in the last quarter of 2018.


A high cyberattack cost

Secondly, this RobbinHood ransomware in Baltimore is also making headlines following initial feedback on the total cost of the cyberattack. Latest estimates are up to $18 million and could increase even more. This is above the average of the figures from the latest international study by Accenture Security and the Ponemon Institute, which estimated the average cost of a cyberattack at $13 million. This figure is up 27% compared to last year and 72% compared to five years ago. It should be noted that this is indeed an average; around the world, cases of cyberattacks affecting large groups have been in the news since 2017 – with amounts that make heads turn. Maersk, Mondelez and Saint-Gobain, affected by NotPetya, reported losses of $300 million, $100 million and €80 million respectively. Closer to home, at the beginning of 2019, Norsk Hydro and Altran were also losing $40 million and €20 million due to the LockerGoga ransomware infection.


A doubt concerning the ransom payment

Could these costs then justify the decision of some companies to pay the ransom demanded by cybercriminals? This is the third point that draws attention to Baltimore's current events – since the city's mayor, Bernard C. Young, seems to be hesitant on the issue. "Right now, I say no," he said at the end of May. "But in order to move the city forward? I might think about it. But I have not made a decision yet." And yet, giving in to ransom demands does not seem to be the best idea – for several reasons. First, as authorities such as the FBI in the United States, or ANSSI in France, specify paying a ransom encourages malicious acts. By contributing to the financing of cybercriminals' activities, paying companies also contribute to the development of ransomwares. In addition, paying a first time may give you a "good customer" label in these cybercriminal minds or "cash cow", it depends. Finally, those who pay the ransoms do not systematically recover their data: in 20% of cases, they are destroyed as soon as they are encrypted. After-sales service is not a priority for cybercriminals.


A successful spread

Finally, it is the (successful) spread of this ransomware that makes people talk about it – since the New York Times mentions the number of 10,000 computers affected. As well as the long period of blocking the information system – since it has already been more than a month. So how can we effectively protect ourselves against these massive ransomwares? First, basic security and digital hygiene measures exist. Starting with regular installation of updates, use of endpoint protection software, avoid opening attachments from suspicious emails or unknown senders, and regular backup to an external storage system or in the cloud. By exploiting remote vulnerabilities, some ransomwares can spread themselves automatically within internal networks and infect thousands of computer in short period of time. To limit this kind of propagation, it is necessary to implement next-generation firewalling systems, offering granular filtering of connections and threat detection capabilities, at the edge and the core of the infrastructure.


To defend against the increasing sophistication of cybercriminals, it is time for companies to equip themselves accordingly.

Share on

[juiz_sps buttons="facebook, twitter, linkedin, mail"]
Ransomware attacks are on the rise, threatening the economic stability and sustainability of many companies and organisations. Not a week goes by without a company or government body being attacked and receiving a ransom demand. This Stormshield whitepaper looks at the evolution of ransomware and the actors who make it a major threat. It deciphers how this malware works and proposes best practices to avoid the consequences. This does not obscure the central question pondered by many organisations faced with the problem of whether to pay or not to pay? Should you give in?