Background/Initial Attack Questions

1. Why haven’t you paid the ransom? Wouldn’t paying the ransom get systems up and running sooner?

First, we were advised by both the FBI and Secret Service not to pay the ransom. Second, that is not how the City of Baltimore operates; we do not reward criminal behavior. Also, paying the ransom does not make the recovery process cheaper or faster. Ultimately, we would still have to take all the steps we have taken to ensure a safe and secure environment.

2. Was any sensitive data compromised?

Our forensic investigation is not yet complete, but at this time, we have seen no evidence that any sensitive data has been taken from our systems.

3. How did the City of Baltimore learn that it has been attacked? How soon after the attack did the City learn about the incident?

The City of Baltimore learned of the attack on Tuesday, May 7th. Our systems were targeted through an attack involving the RobbinHood ransomware.

4. What is the extent of the attack?

We are into the restorative process and are cooperating with the FBI on their investigation. Due to that investigation, we are not able to share information about the attack. To the extent that we can, we will continue to keep you informed on our progress and the investigation.

5. Exactly what data were the attackers able to access?

Our investigation is ongoing, and our forensic investigators continue to research this issue.

6. Who has been affected by the attack?

Many of us in the Baltimore community have been affected by this attack. We continue to work diligently with Baltimore City Information Technology to identify restoration priorities and assist with the recovery process. Where possible, City agencies have enacted feasible alternatives to ensure as minimal interruption as possible.

7. What measures are being taken to prevent this attack from expanding or occurring again in the future?

City of Baltimore has engaged industry-leading cybersecurity experts who are on-site working with us. As part of our containment strategy, we deployed enhanced monitoring tools and implemented advanced security measures throughout our network to further strengthen and enhance our security.

8. What is the timeline for a full restoration?

We are not able to provide you with an exact timeline on when all systems will be restored. Some of the restoration efforts require that we rebuild certain systems to make sure that when we restore business functions, we are doing so in a secure manner.

9. What steps are being taken to be up and running?

Once the ransomware was detected we went into incident response mode, quickly took services and systems offline to contain the attack and activated key partners to help us navigate and respond. We established a web-based incident command, shifted operations into manual mode and established workarounds to facilitate the continued delivery of services to the public. We continue to adjust and refine the delivery of those services that were only partly interrupted and to pursue ways to reactivate any services that were completely affected. Currently, we are in the restorative process and as part of our containment strategy, we have deployed enhanced monitoring tools throughout our network to gain additional visibility.

10. Who are the security consultants helping Baltimore City recover from the ransomware attack and how much has been spent on them so far?

Professional Services Contracts Related to Ransomware

Ransomware dollars spent on six security consultant firms to complete forensic analysis and detection on workstations,
network devices, servers, and databases. These firms also assisted in the hardening overall and overall protection of
Baltimore City’s computing environment.
$2,810,575

Baltimore City partnered with the following vendors: FireEye INC., Clark Hill PLC., Seculore Solutions LLC., Dyn Tek Services LLC., Microsoft, and Crypsis Digital Security LLC DBA: Crypsis Group.

Ransomware dollars spent on computer technicians that deployed workstation, laptops and replacement hard drives for ransomware impacted devices. The State of Maryland also contributed technicians to help with these tasks.
$485,755

Ransomware dollars spent for staff augmentation overtime (for existing staff) and expertise for several infrastructure tools.
$111,742

Equipment Purchases Related to Ransomware
Dollars spent on the purchase of hardware (workstation, monitors etc.) and software related to ransomware recovery.
$1,902,474

Total Professional Services and Equipment Contract Costs to date$5,310,546

Contract costs incurred as of 7/11/2019

Public Opinion/Media Trend Questions

11. Why couldn’t City of Baltimore prevent this from happening when previous indicators suggested the City’s IT systems were not secure?

Like many cities, we operate on a wide variety of systems, old and new. We have been working on upgrading our systems, refreshing our infrastructure, and enhancing cybersecurity safeguards, but given the size of our organization, this is not something that happens overnight. We are committed to restoring our systems in a safe and secure manner.

12. I’ve seen a statement suggesting the city will seek federal emergency and disaster declaration. Is this true?

Our top priority is bringing back our operations in a clean and secure environment so we can continue serving the people of Baltimore. Council President Brandon Scott has sent a request to the Governor seeking federal aid to assist with damages, cost and infrastructure repairs directly related to the incident.

Baltimore City Mayor has reached out to other political leaders to open a dialogue about how the federal government can assist underfunded cities in recognizing and combating sophisticated cyber threats.

13. Resources indicate you didn’t update the SMB patch Microsoft released in 2017 which could have prevented the ransomware attack from happening. Is this true? Why didn’t you install the patch?

The SMB vulnerability was not a factor in the Baltimore City RobbinHood ransomware attack.

14. Since you didn’t update your patch, do you think the City is negligent in its actions?

Because of the ongoing investigation, the City is not in a position to answer any legal questions about the ransomware attack.

15. In March of 2018, the City’s 911 and 311 systems were hijacked? Is there a connection between that cyberattack and this ransomware attack?

Baltimore’s 911 system suffered an attack last year because a firewall was disabled for under four hours during maintenance. It was during that window of time that a bad actor scanned for vulnerabilities and accessed the system. That incident is not related to the current ransomware attack.

16. Why didn’t you put tighter security protocols in place after the attack in 2018?

After the 2018 attack, steps were taken to prevent a similar incident, including changing the review process and requiring peer review before configurations are changed, and working with government agencies to obtain real-time threat intelligence to help identify and thwart attacks.

17. Why is your capital IT budget so low compared to that of other cities of similar size?

Different cities have different funding needs based on location, size, and other concerns. Baltimore City reviews its budgets on a yearly basis, and works very hard to appropriately allocate limited resources.

18. Last year, when the City’s 911 and 311 systems were attacked, City CIO Frank Johnson was quoted saying “I don’t know what else to call this but a self-inflicted wound. The bad guys did not get in on their own without the help of someone inadvertently leaving the door open.” Are you suggesting the City dropped the ball on their security protocols?

The attack last year occurred because a firewall was disabled for under four hours during maintenance. That incident is unrelated to the current ransomware attack.

19. Clearly the City has been aware of its vulnerabilities as shared in the capital planning budget request meeting. Why hasn’t the City taken steps to shore up their cybersecurity posture?

The City has taken steps to increase its cybersecurity safeguards over the last year. These include things like implanting a workstation refresh program, purchasing and installing new firewalls, and implementing advanced monitoring tools. However, increasing cybersecurity safeguards and refreshing the IT infrastructure is a long term process, and doesn’t happen overnight.

20. For more than two years, why didn’t the City patch its systems against the SMB_v1 vulnerability that EternalBlue exploited despite global alerts about the severity of the flaw?

Our independent computer forensic experts have found no evidence that EternalBlue was a factor in the Baltimore City ransomware attack.

21. What about the New York Times’ statement that information from internal Baltimore City sources claim EternalBlue was involved in the attack?

The City of Baltimore has no information about the sources referenced by the New York Times, but the independent forensic investigators assisting us in investigating this incident have found no evidence that EternalBlue was involved in the ransomware attack.

22. Was there a way to detect this attack sooner? What did the City audit when they referenced security patches that passed with flying colors? What was actually audited?

The City of Baltimore routinely undergoes different audits focusing on different areas of the system. Most recently, its 311 infrastructure was audited from a public safety perspective and passed the audit.

23. Which city services are still operational during the network outage?

Baltimore City is up and running and open for business! The Baltimore Police Department and the Baltimore City Fire Department are still responding to calls for service.

The Baltimore City Health Department is continuing its Non-Emergency Medical Transportation, Animal Control, Environmental Inspection, and Disease Surveillance and Investigation Services including Senior Centers, Clinics, and Food Licensing. Water is being processed constantly and sent to homes and businesses and wastewater is being purified and returned in quality condition to the Chesapeake Bay.

Capital projects are on schedule, and repairs are being expedited. Trash, recycling, and bulk are being collected, drop-off yards are open and streets are being swept. The traffic signals are still working and people can pay their parking and moving violations.

We have continued to recruit, hire and onboard new employees and we have been able to pay employees accurately based on their hours worked and related time records. All city workforce centers remain fully functional and open to the public ready to assist with employment-related needs.

Despite the network outage, the YouthWorks team has been able to generate over 8,000 job opportunities for Baltimore youth. Notification of jobs will begin the first week of June. Baltimore City Recreation & Parks has numerous summer opportunities to keep our young people engaged and active. We have 43 recreation centers operational citywide. This Memorial Day, we opened all six park pools for weekend service. On June 22, the remaining 22 pools will open for full weekday and weekend service. And, you can still get your permits for work and licenses for properties, you just have to pay in person or mail in your payment.