Cyber Incident Victim: City of Baltimore
Date:
May 2019
Location:
United States of America
Summary
A ransomware attack using the RobbinHood variant disrupted multiple government systems in Baltimore, forcing departments offline while emergency services remained operational. The malware required administrative network access for individual machine deployment via tools like psexec, encrypting files after placing a preloaded RSA key on each system. Officials confirmed backups existed but delayed restoration due to uncertainty about the ransomware's persistence timeline, leading to manual operations for city employees. The incident followed recent security audits that had deemed defenses adequate, highlighting challenges in defending against evolving threats.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On May 7, 2019, the City of Baltimore experienced a widespread ransomware attack that disrupted operations across nearly all municipal government departments. The attack, attributed to the "RobbinHood" ransomware variant, forced city officials to take email systems and other critical services offline by 9:00 AM that morning. While police, fire, and emergency response systems remained operational, most other city departments experienced service interruptions. The Baltimore Office of Information Technology acknowledged the outage via a recorded phone message but provided no immediate restoration timeline. City spokesperson Lester Davis noted similarities between this incident and an April 2019 ransomware attack on Greenville, North Carolina.
Baltimore Chief Information Officer Frank Johnson confirmed during a press conference that the FBI had identified the malware as a new variant of RobbinHood ransomware, first observed within the preceding month. Security researcher Vitali Kremez analyzed the ransomware's behavior, noting it lacked network propagation capabilities and required manual deployment to individual machines using tools like psexec or through domain controller compromise. Attackers needed prior administrative access to systems to place ransomware components in the C:\Windows\Temp directory and pre-install a public RSA key before initiating file encryption. This multi-stage attack suggested threat actors had established persistent network access before execution. Mayor Bernard "Jack" Young stated restoration complexities prevented immediate use of backups due to uncertainty about the malware's infiltration timeline. City employees reverted to manual processes for essential services, with the mayor suggesting redeployment of idle workers to municipal maintenance tasks if outages persisted. The incident occurred just over a year after Baltimore's 911 system suffered a separate ransomware attack caused by firewall vulnerabilities during maintenance. Despite Johnson's assertion that recent security audits gave the city "multiple clean bills of health," the attack highlighted ongoing challenges in defending against evolving threats.