Baltimore ransom: what’s next?

September 6, 2019

Avi Rubin, Information Security Institute’s Technical Director, gives opinion on Baltimore ransomware’s latest developments.

This year, Baltimore was hit with a sophisticated, nasty ransomware attack. The incident crippled much of the city’s IT infrastructure and brought such things as utility bill payments and real estate transactions to a halt. The outage lasted months and estimates of the cost were in the millions of dollars. Such attacks are increasingly easier to launch, as Do-It-Yourself malware kits prevail on the Internet. In fact, the Baltimore city attack has been reported to be the direct result of a leaked hacking kit developed by the National Security Agency.

The city was vulnerable to ransomware because of outdated IT infrastructure, inadequate backups, and a clear lack of security posture in the face of today’s real threats. The event should serve as a wake-up call to municipalities throughout the country. These attacks are real, and they are serious. Just recently several towns in Texas were hit, and every week brings another report of ransomware attacks that impact some unprepared organization.

The question often arises, whether Baltimore should have paid the ransom. After all, the attackers were asking for 70-100k (depending on the value of bitcoin on any given day), and the city’s shut down cost them millions by all accounts. While it is popular in many circles to advocate paying the ransom, I think there are more compelling reasons not to pay. First of all, paying the ransom rewards criminals and supports bullying and extortion. The funds will be used to embolden the attackers and will lead to further attacks. Furthermore, there is no guarantee that the attackers will actually release any decryption keys rather than holding out for more money. While it is true that some ransomware attackers sometimes do release the data after an attack, in order to gain credibility, there is no telling if these particular attackers play by those “rules”. The right answer is to focus on improving IT security, to administer proper backups, and to make sure that organizations are no longer vulnerable to ransomware attacks.

Sadly, the insurance industry is not helping. Many cyber insurance companies are playing the numbers game and have decided that paying ransomware is the least expensive approach to dealing with this thorny problem. It is my hope that the security IT industry can work on prevention of ransomware attacks, so that the upside down economics of ransomware will not cause these attacks to continue and to grow.

JHU Information Security Institute