Ransomware, the malware strain that has caused so much chaos all around the world, is still grabbing headlines in 2019. In March, one of the world’s largest aluminum producers was forced to carry out part of its operations manually due to a ransomware attack; according to some sources, costs of this attack reached $40 million after a week. And at the start of the year, the city hall of Del Rio in Texas was attacked with a piece of ransomware with a peculiar feature: the ransom note contained a phone number to contact the attackers.

Local governments: a prominent target

On May 7, the city of Baltimore in the US announced that the city government had closed most of its servers due to a ransomware attack. Although essential services such as police and fire brigades were not affected, the email systems used by city employees, phone lines, and online bill payment systems were all compromised.

Among those affected were the Department of Public Works, which reported that its customer support line was down. As a result, the city hall has suspended customers’ late bill fees.

The mayor of the city, Bernard C. “Jack” Young, said that the city had seen no evidence of any personal data being exfiltrated from the compromised computers. This is normally the case; although there are examples of attacks that use ransomware as a cover for a data leak, attackers normally just want to deny the victim access to their computers.

In a press conference, the CIO of Baltimore confirmed that they were dealing with a very aggressive ransomware called RobbinHood – a relatively new variant of this malware according to the FBI.

The ransom note demanded 3 Bitcoins (approximately $18,000) to unblock each computer, or 13 Bitcoins ($78,000) to release the whole city. Some sources reported that four days after the initial infection, the cost of recovering the systems increased $10,000 per day. The note claimed that after 10 days, it would be impossible to recover any data. However, in spite of this threat, the city stood firm, and refused to pay the ransom. Over three weeks after the initial attack, the city hall was still unable to send emails or process payments.

The city of Baltimore, victim of RobbinHood ransomware

Note on the Baltimore city website on May 28

This is not the first time that the city of Baltimore has been affected by a ransomware attack. In March of last year, the city’s emergency call system was attacked, which resulted in many central systems being taken offline.

How RobbinHood works

According to Bleeping Computer, the ransomware doesn’t get onto computers via spam; rather, it takes advantage of remote desktop protocols (RDP) or other Trojans that give the attacker access to the victim’s system. Another peculiar feature of this ransomware is the fact that the attackers seem to be concerned about their victims’ privacy. The ransom note claims that the encryption keys and IP addresses will be deleted after payment. What’s more, it also says that the victim need not report the attack, since their secret is safe with the attackers.

According to The New York Times, this ransomware made its way onto the Baltimore government’s systems thanks to EternalBlue, the same vulnerability that was used by the global WannaCry attacks in 2017. This highlights the importance of applying security patches as soon as possible, since a patch for EternalBlue has been available since April 2017.

What can be done to stop ransomware?

According to some sources, one organization will fall victim to a ransomware attack every 14 seconds in 2019; and this kind of attack has increased 97% over the last two years. It is therefore vital that organizations protect their IT systems.

In order to know exactly what is happening on your organization’s IT systems, it is of utmost importance to have an advanced cybersecurity solution. Panda Adaptive Defense provides total visibility of all endpoints on your systems; it monitors all system activity in real time, detecting possible points of infection, as well as any suspicious use of the company’s assets. This is particularly important in the case of this ransomware, since it doesn’t make its way onto systems via attachments, but rather by exploiting a network protocol.

However, many kinds of ransomware – along with other types of malware – do get in via email. As such, another important measure to protect your company’s cybersecurity is to monitor attachments. If you’re not entirely sure of where an email has come from, don’t open any attachments.

Another vital measure to protect against ransomware is to create backups of all vital files in order to get back to normality as quickly as possible after any incident. It is also a very good idea to have an incident response plan in order to know how to act if your company is affected a threat of this kind. These measures will help all kinds of organizations – from private companies to governments – to avoid the dangers of ransomware.