The hackers purportedly behind the Baltimore ransomware attack may be attempting to boost the pressure on the city to pay up as they have tweeted out some possibly sensitive information, additionally researchers have determined that the NSA hacking tool EternalBlue was not used in this attack.
Eric Sifford, security researcher with Armor’s Threat Resistance Unit, and Joe Stewart, an independent security consultant working with Armor, said there are no elements of the EternalBlue exploit in the Robbinhood ransomware code used against Baltimore. The two also analyzed several documents tweeted out by the attackers and found they do belong to Baltimore and could have been removed from its system.
“One of the documents indicates that it has been scanned/copied on May 4, 2019 and pertains to a June 2018 court case where the mayor and City Council of Baltimore City are being sued by an individual. The other document appears to have been copied/scanned on April 23, 2019 and pertains to a worker’s comp medical file which went to the City of Baltimore,” Sifford wrote.
Baltimore’s networks were locked up by the ransomware attack on May 7, which could mean the malicious actors were in the city’s network well before triggering the encryption.
These tweets did convince Sifford and Stewart that the person or persons behind the tweets are responsible for the attack. In addition to showing confidential information the attacker also tweeted insults at Baltimore Mayor Jack Young.
Baltimore officials estimated at a city budget meeting on May 29 that the attack could cost the city $18.2 million. About $4.7 million has already been spent. The Baltimore Sun obtained a copy of the ransom note which contained an a la carte demand list asking for 3 bitcoins, about $17,600, to decrypt individual systems or 13 bitcoins, about $76,000, to decrypt all the city’s systems.
“It is clearly an effort by the hacker(s) to prove they can decrypt the city’s files, This might be an opportunity for the Mayor and Baltimore’s incident responders to determine if the threat actors truly have the capabilities to unlock their data. As a cybersecurity expert, I generally recommend against paying a ransom; however, each case is unique in its totality, and I understand sometimes an organization’s leadership may decide their best option is to pay,” Sifford and Stewart said in a blog.