Ransomware is malicious software that encrypts files and requires a key to decrypt the files. To get the files decrypted, the company or organizati

Attacked With Ransomware, Baltimore Isn't Giving In Chokshi, Niraj . New York Times , Late Edition (East Coast); New York, N.Y. [New York, N.Y]. 23 May 2019:

B.6.

ProQuest document link

FULL TEXT More than two weeks ago, hackers seized parts of the computer systems that run Baltimore's government.

It could take months of work to get the disrupted technology back online. That, or the city could give in to the

hackers' ransom demands.

"Right now, I say no," Mayor Bernard Young told local reporters on Monday. "But in order to move the city forward?

I might think about it. But I have not made a decision yet."

Here's a brief rundown of what happened.

What was affected?

On May 7, the city discovered that it was a victim of a ransomware attack, in which critical files are encrypted

remotely until a ransom is paid.

The city immediately notified the F.B.I. and took systems offline to keep the ransomware from spreading, but not

before it took down voice mail, email, a parking fines database, and a system used to pay water bills, property

taxes and vehicle citations.

Real estate transactions were frozen, too, until the city put a fix in place this week.

What was the threat?

A copy of a digital ransom note, obtained by The Baltimore Sun, stated that the city could unlock the seized files

for a price: three Bitcoins (nearly $24,000) per system or 13 Bitcoins (about $102,000) for them all.

(The price of this decentralized, hard-to-track virtual currency fluctuates wildly. On the day of the attack, the

ransom would have cost about $17,000 per system, or less than $75,000 for them all.)

"We won't talk more, all we know is MONEY!" the note said.

Baltimore has released little else about the attack, citing a continuing F.B.I. investigation.

Who is behind the attack?

The authorities have not named any individuals or groups behind the attack, but they have identified the malicious

software, or malware, behind it as "RobbinHood," a relatively new ransomware variant, according to The Baltimore

Sun.

Such attacks are often carried out by Russian or Eastern European hackers, but that isn't always the case. The

ransomware attack that crippled Atlanta's government for days last year has since been attributed to two men in

Iran.

Was Baltimore targeted?

The city has not described how the attack was executed, but experts don't believe that hackers sought the city out.

"I think it was purely an opportunistic attack," said Lawrence Abrams, the creator and owner of Bleeping Computer,

a technology news site.

The language used in the Baltimore ransom note was nearly identical to those used in other RobbinHood attacks,

according to Mr. Abrams, who has spoken to various researchers about RobbinHood and seen a handful of

systems infected by it.

The creator or creators of RobbinHood most likely scanned a large number of online systems for vulnerabilities to

exploit, such as gaps in protocols used to grant remote access to computers, he said.

And Baltimore isn't alone.

Early on April 10, officials in Greenville, N.C., discovered that they, too, were the victims of a RobbinHood attack.

The city declined to pay the ransom, and the attack remains under investigation by the F.B.I., Mayor P.J. Connelly

said by email.

How common are ransomware attacks?

The first known ransomware attack was carried out three decades ago, according to Allan Liska, an analyst with

Recorded Future, a cybersecurity firm.

In that 1989 attack, disks claiming to offer information about AIDS were mailed to more than 10,000 people around

the world. Each contained software designed to lock up a computer's files with instructions to mail a check to

Panama so the user could receive another program to undo the damage.

But ransomware attacks have been carried out much more frequently in recent years thanks to the advent of

difficult-to-track payment methods.

"The reason for the modern rise in ransomware, and frankly the wild success, is directly attributable to Bitcoin and

other cryptocurrencies," Mr. Liska said.

In a recent report on ransomware targeting state and local governments, Mr. Liska traced the current era back to

2013, when the police department in Swansea, Mass., was infected by malware known as CryptoLocker.

There have been at least 169 incidents of state and local governments falling prey to ransomware since that year,

though Mr. Liska said that estimate was probably low because governments don't always publicize such attacks.

"That's really only the tip of the iceberg," he said. "There's really probably a lot more that are never reported on."

About 70 percent of state and local governments refused to pay a ransom, while 17 percent did, he said. The

outcome could not be determined in the remaining cases.

Should Baltimore pay?

The encryption used by ransomware can often be difficult to crack, but Mr. Liska nonetheless advised against

paying the ransom.

"That money is going to help make the bad guy's job easier," he said, noting that the perpetrator might use the

proceeds to pay for better, more effective attacks.

There's also no guarantee that hackers will hold up their end of the bargain if a victim pays. That said, the hackers

might release the files if only to show future victims that it's worth paying, Mr. Liska said.

In the case of the RobbinHood attack, for example, the creator or creators offered to decrypt up to three files at no

cost, to show "we are honest," according to a screenshot Mr. Abrams shared of the ransom payment page.

The hackers even included a privacy statement.

"I want to mention that your privacy is important for us, all of your records including IP address and Encryption

keys will be wiped out after your payment," it read.

Photograph

After it was hit by a ransomware attack, Baltimore immediately notified the F.B.I. and took systems offline, but not

before several of them were affected. (PHOTOGRAPH BY GABRIELLA DEMCZUK FOR THE NEW YORK TIMES) DETAILS

Subject: Malware; Digital currencies; Ransomware

Business indexing term: Subject: Digital currencies Ransomware

Location: Iran; Baltimore Maryland; Panama; Atlanta Georgia

LINKS Check FindIt for availability.

Database copyright  2022 ProQuest LLC. All rights reserved. Terms and Conditions Contact ProQuest

Company / organization: Name: Baltimore Sun; NAICS: 511110

URL: https://www.nytimes.com/2019/05/22/us/baltimore-ransomware.html

Publication title: New York Times, Late Edition (East Coast); New York, N.Y.

Pages: B.6

Publication year: 2019

Publication date: May 23, 2019

Section: B

Publisher: New York Times Company

Place of publication: New York, N.Y.

Country of publication: United States, New York, N.Y.

Publication subject: General Interest Periodicals–United States

ISSN: 03624331

Source type: Newspaper

Language of publication: English

Document type: News

ProQuest document ID: 2229028131

Document URL: http://ezproxy.umgc.edu/login?url=https://www.proquest.com/newspapers/attacke

d-with-ransomware-baltimore-isnt-giving/docview/2229028131/se-

2?accountid=14580

Copyright: Copyright New York Times Company May 23, 2019

Last updated: 2021-03-15

Database: New York Times

Another City in Florida Pays a Ransom to Computer Hackers Mazzei, Patricia . New York Times , Late Edition (East Coast); New York, N.Y. [New York, N.Y]. 28 June

2019: A.17.

ProQuest document link

FULL TEXT MIAMI — Even the phones went down in the government of Lake City, Fla., after hackers launched a cyberattack

that disabled the city's computer systems.

For several days after computer systems were paralyzed by a ransomware attack, the staff of the small North

Florida town worked with the F.B.I. and an outside security consultant to restore phone lines, email and online

utility payments. But in the end, city leaders called an emergency meeting this week and reluctantly approved

paying the hackers the ransom they demanded: 42 Bitcoin, or about $460,000.

It was the second city to agree to a large ransom in two weeks. Riviera Beach, in Florida's Palm Beach County,

signed off on an extraordinary $600,000 payment last week, also in Bitcoin, a cybercurrency that is difficult to

trace.

As in Riviera Beach, the brunt of Lake City's ransom will be paid by insurance. Only $10,000 will come out of the

city's coffers.

"With your heart, you really don't want to pay these guys," Mayor Stephen Witt said. "But, dollars and cents,

representing the citizens, that was the right thing to do."

The F.B.I., as it typically does, recommended against agreeing to the hackers' demands. But Mr. Witt said a

prolonged recovery would have cost taxpayers more. Though there was no guarantee that the attackers would

release the city's data, Mr. Witt said information technology staff had already been making strides since the

ransom had been paid.

On Thursday, a third Florida city, Key Biscayne, said it too had been the victim of a cyberattack that began on

Sunday. It was not clear if the attackers demanded a ransom, but the city said it had brought most networks back

up by Wednesday night.

Ransomware has become a digital epidemic for the public sector, which often manages large, tangled webs of

computer networks, running older software, with limited budgets to defend them. Police departments in Illinois,

Maine, Massachusetts and Tennessee have all opted to pay the ransom demands to get back their data. The

difference in Florida is that the attackers are now emboldened, raising their ransom demands by a factor of 10 or

more.

City officials in Baltimore, a much larger city that has been fighting a massive ransomware attack for the past two

months, have spent $18 million on recovery. Hackers there had demanded a ransom of $80,000. A slew of other

governments, including the city of Atlanta, have faced similarly crippling breaches.

The Lake City attack began on June 10 when an employee clicked on a malicious email and infected the city's

computers with ransomware, according to the mayor. The program, which the city identified as malware known as

"Triple Threat," affected everything but Lake City's police and fire departments, which are on a separate server.

"As a result, all Emergency services remain intact," the city said when it disclosed the attack.

Several days went by before the hackers demanded a ransom. At first, the city, which is about 65 miles west of

Jacksonville, at the point where Interstate 10 and Interstate 75 meet, had some luck restoring its systems on its

own. But then it ran into trouble, so city leaders decided instead to negotiate with its insurance carrier, the Florida

League of Cities, to make the ransom payment.

"Any I.T. professional will tell you they're fending off attacks all the time," said Eric Hartwell, deputy general counsel

and insurance counsel for the Florida league, which began offering cyberattack liability coverage to its hundreds of

members a few years ago. "It's not necessarily a new thing — I just think for whatever reason, the news cycle is now

showing municipalities are no different from private corporations."

There is a chance Lake City could have decrypted the ransomware on its own. A spokesman for the city said the

ransomware was a variant of a malware strain called "Ryuk." Security experts have successfully unscrambled Ryuk

ransomware in 3 to 5 percent of cases, according to Emsisoft, a security firm. Part of the problem, said Brett

Callow, a spokesman at Emsisoft, is that security experts need better communication channels with victims. His

firm created ID Ransomware, a free website that allows victims to upload strains of ransomware so that security

experts can help them to decrypt it.

In Europe, similar projects have proved successful. Security experts, law enforcement and local officials are

partnering on the No More Ransom Project to share information about attacks in real time, share decryption

techniques, and point law enforcement toward attackers' command and control servers. In Poland last year, the

Polish police, Belgian Federal Police and Europol arrested a Polish national suspected of having infected several

thousand computers with ransomware. Security experts said they have had similar success working with the

Dutch National Police, but have had a harder time connecting with the F.B.I. because the agency has stricter

communication protocols.

Mr. Witt said Lake City fired an employee who it deemed had not done enough to protect the computer systems

from an intrusion. That employee was not the same person who clicked on the malicious email, he said.

"We're developing a system with a backup that hopefully won't be vulnerable," Mr. Witt said, imploring other small-

town mayors to do the same. "Every other town needs to look at their system — today."

"I have been in office 14 years," he added. "We've had tornadoes. We've had hurricanes. We've had fires that they

told me were going to maybe reach the city limits. But this was unusual. This was different."

Credit: By PATRICIA MAZZEI; Nicole Perlroth contributed reporting from San Francisco. DETAILS

Subject: Law enforcement; Digital currencies; Malware; Liability insurance; Hackers

Location: Baltimore Maryland; Massachusetts; Maine; Key Biscayne; Illinois; Tennessee;

Poland; Florida; San Francisco California; Europe; Atlanta Georgia

People: Witt, Stephen

Company / organization: Name: Europol; NAICS: 922120

URL: https://www.nytimes.com/2019/06/27/us/lake-city-florida-ransom-cyberattack.html

Publication title: New York Times, Late Edition (East Coast); New York, N.Y.

Pages: A.17

Publication year: 2019

Publication date: Jun 28, 2019

LINKS Check FindIt for availability.

Database copyright  2022 ProQuest LLC. All rights reserved. Terms and Conditions Contact ProQuest

Section: A

Publisher: New York Times Company

Place of publication: New York, N.Y.

Country of publication: United States, New York, N.Y.

Publication subject: General Interest Periodicals–United States

ISSN: 03624331

Source type: Newspaper

Language of publication: English

Document type: News

ProQuest document ID: 2248107897

Document URL: http://ezproxy.umgc.edu/login?url=https://www.proquest.com/newspapers/another

-city-florida-pays-ransom-computer-hackers/docview/2248107897/se-

2?accountid=14580

Copyright: Copyright New York Times Company Jun 28, 2019

Last updated: 2019-09-18

Database: New York Times