RobbinHood ransomware: Why Baltimore ends up in the spot lights?

Baltimore and the RobbinHood ransomware | Stormshield

Since the beginning of May, computer networks in the city of Baltimore (United States) have been paralyzed. This was due to a ransomware attack that locked down the government's 10,000 computers on site and is being investigated as a major cyber attack.

After Atlanta and San Antonio last year, the cyberattack on Baltimore confirms that cities are now targets like any other industry, as are businesses and public administrations. But then, why are we talking so much about Baltimore? How is it different from the others?

A high ransom amount

Firstly, because of the ransom amount; about $100,000. An important symbolic step, far from the $300 requested at the beginning of the WannaCry ransomware in 2017. Amounts that have therefore increased dramatically. The reasons? A higher level of organization and sophistication to these attacks than general ransomware campaigns and a trend towards cyberattacks on large organizations that cannot afford the luxury of business interruption. Sensitive industrial sectors, public services or hospitals are then on the front line. The latest industry figures estimate the average amount of ransoms paid per incident in the first quarter of this year at $13,000, compared to $7,000 in the last quarter of 2018.

A high cyberattack cost

Secondly, this RobbinHood ransomware in Baltimore is also making headlines following initial feedback on the total cost of the cyberattack. Latest estimates are up to $18 million and could increase even more. This is above the average of the figures from the latest international study by Accenture Security and the Ponemon Institute, which estimated the average cost of a cyberattack at $13 million. This figure is up 27% compared to last year and 72% compared to 5 years ago. It should be noted that this is indeed an average; around the world, cases of cyberattacks affecting large groups have been in the news since 2017 – with amounts that make heads turn. Maersk, Mondelez and Saint-Gobain, affected by NotPetya, reported losses of $300 million, $100 million and €80 million respectively. Closer to home, at the beginning of 2019, Norsk Hydro and Altran were also losing $40 million and €20 million due to the LockerGoga ransomware infection.

A doubt concerning the ransom payment

Could these costs then justify the decision of some companies to pay the ransom demanded by cybercriminals? This is the third point that draws attention to Baltimore's current events – since the city's mayor, Bernard C. Young, seems to be hesitant on the issue. "Right now, I say no," he said at the end of May. "But in order to move the city forward? I might think about it. But I have not made a decision yet." And yet, giving in to ransom demands does not seem to be the best idea – for several reasons. First, as authorities such as the FBI in the United States, or ANSSI in France, specify paying a ransom encourages malicious acts. By contributing to the financing of cybercriminals' activities, paying companies also contribute to the development of ransomwares. In addition, paying a first time may give you a "good customer" label in these cybercriminal minds or "cash cow", it depends. Finally, those who pay the ransoms do not systematically recover their data: in 20% of cases, they are destroyed as soon as they are encrypted. After-sales service is not a priority for cybercriminals.

A successful spread

Finally, it is the (successful) spread of this ransomware that makes people talk about it – since the New York Times mentions the number of 10,000 computers affected. As well as the long period of blocking the information system – since it has already been more than a month. So how can we effectively protect ourselves against these massive ransomwares? First, basic security and digital hygiene measures exist. Starting with regular installation of updates, use of endpoint protection software, avoid opening attachments from suspicious emails or unknown senders, and regular backup to an external storage system or in the cloud. By exploiting remote vulnerabilities, some ransomwares can spread themselves automatically within internal networks and infect thousands of computer in short period of time. To limit this kind of propagation, it is necessary to implement next-generation firewalling systems, offering granular filtering of connections and threat detection capabilities, at the edge and the core of the infrastructure.

To defend against the increasing sophistication of cybercriminals, it is time for companies to equip themselves accordingly.

Share on

Before to have to face this situation, how to protect from ransomware attack? What are the effective ransomware protection? And what to do after a ransomware attack?

About the author

mm
Matthieu Bonenfant
Chief Marketing Officer, Stormshield

A graduate of Télécom-Lille, Matthieu Bonenfant is a cybersecurity specialist whose career at Netasq began in 2001, as a support engineer. He also served as Product Manager, Head of New Product Introduction, Technical Support Manager, and then Director of Operations and Customer Service. After occupying the position of Business Division Manager at Advens between 2008 and 2013, he returned to Netasq as Product Marketing Director and became Stormshield’s Chief Marketing Officer in 2016.