On May 7, the city government computers in Baltimore, Maryland, got hit by the RobbinHood file-locking virus, a type of ransomware that puts a digital key onto a server, making it impossible to access. A ransom note accompanied the hack, promising to deliver that password.
The price? Three bitcoins per computer (as of Tuesday evening, one bitcoin was worth approximately $8,700). The virus has infected about 10,000 of the city's computers, Vox noted. The city is refusing to pony up, and its government functions, from paying bills to answering emails from citizens, have all ground to a halt.
"We've [been] watching you for days and we've worked on your systems to gain full access to your company and bypass all of your protections," the ransom note said, according to the Baltimore Sun. "We won't talk more, all we know is MONEY! Hurry up! Tik Tak, Tik Tak, Tik Tak!"
This is the second time the city has been hit with a ransomware attack in the past 15 months. A March 2018 attack shut down Baltimore's 911 emergency system for about a day, the Sun noted.
Similar attacks to this one, however, have hit Greenville, North Carolina, and Atlanta, Georgia, in recent years, Sputnik reported.
RobbinHood was delivered via the EternalBlue exploit, one of the NSA hacking tools stolen in the infamous Shadow Brokers heist in 2017, Ars Technica noted. While Microsoft released a patch protecting against the malware after being alerted by the NSA, Ars Technica noted that over a million computers worldwide still use the computer protocol exploited by tools like EternalBlue and its related malware worms, WannaCry, and NotPetya. Thousands of those computers are "part of the networks of US school districts; many more belong to local governments, law enforcement organizations, state universities, community colleges, and other public institutions," the outlet wrote.
Jeffrey Carr, cybersecurity consultant, author of "Inside Cyber Warfare" and founder of Suits and Spooks, told Radio Sputnik's By Any Means Necessary Tuesday "it's extremely difficult for anything to be secured 100%," noting that the NSA is far from the only institution struggling with security issues.
However, Carr cautioned against drawing parallels between cybersecurity tools and weapons of mass destruction when arguing in favor of structures that could regulate entities and programs that produce and utilize cyberweapons like those used against the Baltimore government.
"The problem, of course, is when you're talking about a nuclear weapon, you're talking about very-difficult-to-obtain materials and materials that can be easily controlled and tracked. When you're talking about code — it's not even apples and oranges anymore; there's no way that you can treat software the same way you treat uranium-235, for example," Carr said, noting it's not a practical argument to make.
"Perhaps there are ways to change when a government agency is legally — and it's perfectly legal for the NSA to have these tools, any government agency that's in this line of work has them, regardless of country — but maybe there is a way to sort of improve it so that it can't be operated when it's not on a particular device," Carr said, "or some other controls that a programmer can devise to make it useless on any machine. It's like a piece of malware created for Microsoft Outlook doesn't work in Apple iMail, so there may be some ingenious programmers out there who can come up with a software solution to make these tools unusable if they're outside of the NSA's network."
"But I think that we've just found ourselves today with all the conveniences of a digitally connected world with the associated risk of making it easy for bad actors to cause lots and lots of mayhem," Carr told hosts Eugene Puryear and Sean Blackmon, "but I don't think there's any getting away from that."
However, Carr didn't retreat from blasting the Baltimore government's neglect of basic cybersecurity maintenance. "There's no excuse for that," he said, but basic "cyber hygiene" principles like keeping programs up to date and following best practices when handling data and devices connected to the network "can be improved… and make it harder next time. But that's all you're really doing is making it harder, cost more, with an attacker."
"The onus should be on the individual city, state, government or organization to do as much as they can and not look to the federal government," Carr said, noting the federal government has enough problems securing its own systems. "Leave the federal government out of it."