The government of Baltimore has been taken hostage by ransomware and may remain shut down for weeks

Nearly two weeks after the city of Baltimore's internal networks were compromised by the Samsam ransomware worm (previously), the city is still weeks away from recovering services — that's weeks during which the city is unable to process utility payments or municipal fines, register house sales, or perform other basic functions of city governance.

911 and emergency services are OK, because after they were hit by a ransomware attack last year, they were hardened against future attacks. The city did not allocate funds to improve its security, or improve its training, or take out cyberattack insurance, despite a recommendation from the city's information security manager.


Baltimore's city government has been wracked by a string of corruption scandals, including the abrupt resignation of Mayor Catherine Pugh this month, as well as the precipitous departure of four CIOs over the past five years in a string of firings and forced resignations.

The ransomware crooks who seized control over Baltimore's servers asked for $70,000 to restore them. Baltimore will spend far, far more than that on recovering its servers the hard way, in part because it was so vulnerable to begin with, thanks to the city officials' decision not to appropriate funds to improve its resiliency and security.

Until the ransomware attack, the city's email was almost entirely internally hosted, running on Windows Server 2012 in the city's data center. Only the city's Law Department had moved over to a cloud-based mail platform. Now, the city's email gateway has moved to a Microsoft-hosted mail service, but it's not clear whether all email will be migrated to the cloud—or if it's even possible. While Mayor Young said the city had data backups, it's not clear how widely backups were implemented. And Johnson would not say whether there was a disaster-recovery plan in place to deal with a ransomware attack.

Some of Baltimore's systems are hosted elsewhere, including the city's primary website, which is hosted on Amazon Web Services and operated by a contractor. But the city almost lost that website last week, and not because of ransomware: the contract for operating the site had expired, and the city was delinquent in its payments.


Baltimore ransomware nightmare could last weeks more, with big consequences [Sean Gallagher/Ars Technica]