Ransomwarecritical

Baltimore City RobbinHood: Ransomware Locks City Government for 5 Weeks

RobbinHood ransomware shut down nearly all of Baltimore's city government computer systems for five weeks. The city refused to pay the $76,000 ransom and spent $18 million on recovery instead.

City of Baltimore·2019·2 min read

Background

Baltimore was the second major US city hit by ransomware in 2019 after Atlanta. The city's IT infrastructure was described by auditors as severely fragmented, with some systems running Windows XP. The city had been warned about its cybersecurity posture repeatedly but had not made investments.

The Attack

The RobbinHood ransomware variant was deployed across Baltimore city networks on May 7, 2019. The malware exploited EternalBlue (the NSA exploit leaked by Shadow Brokers) to spread across the network. It encrypted servers managing email, payment processing, property tax databases, and the system used to record and track real estate transactions — transactions essential to the city's housing market. The attackers demanded 3 Bitcoin per system or 13 Bitcoin ($76,000) for all systems.

Response

Mayor Bernard Young refused to pay the ransom, citing FBI guidance. The city began a manual rebuild from scratch. New servers and systems were procured. Real estate transactions were processed manually. City employees worked without email for five weeks. The NSA publicly confirmed that EternalBlue was in the Baltimore attack, prompting significant political controversy about the agency's retention of exploits.

Outcome

Total recovery costs exceeded $18 million — 240 times the ransom demand. Real estate transactions were halted for weeks, affecting home buyers and sellers. The case became a landmark in the debate about whether governments should pay ransoms and about the NSA's practice of hoarding offensive exploits.

Key Takeaways

  1. Refusing to pay ransoms is defensible but requires pre-existing backup infrastructure and recovery plans
  2. EternalBlue exploits networks with unpatched SMBv1 — disable SMBv1 and patch immediately
  3. City governments hold data critical to residents' lives and must be treated as critical infrastructure
  4. The cost of recovery frequently dwarfs the ransom demand when there is no backup strategy
RobbinHoodEternalBluecity governmentransomware recoveryNSA exploit

More in Ransomware

2017critical

WannaCry Global Ransomware Attack

2 min readRansomware
2019critical

Norsk Hydro: Ransomware Shuts Down Aluminium Plants Across 3 Continents

2 min readRansomware
2016high

Hollywood Presbyterian: Hospital Pays $17,000 to Get Patient Records Back

2 min readRansomware