EternalBlue believed to be behind crippling Baltimore attack

Baltimore has battled the effects of a ransomware attack that started May 7 and now it seems that a familiar culprit, the National Security Agency (NSA) EternalBlue tool, known to exploit some versions of Microsoft Windows XP and Vista, is behind the city’s misery, which has included a shutdown of many vital systems and services.

Although Microsoft released a patch for the vulnerability just one day after The Shadowbrokers hacking group published it in April 2017, EternalBlue has wreaked havoc through devastating cyberattacks such as WannaCry and NotPetya in 2017.

“The government has refused to take responsibility, or even to answer the most basic questions,” the New York Times, which first reported the EternalBlue connection, quoted Johns Hopkins University cybersecurity expert Thomas Rid as saying. “Congressional oversight appears to be failing. The American people deserve an answer.”

Rid said release of the tool was “the most destructive and costly NSA breach in history.”

In Baltimore’s case, the exploit was used May 7 to spread Robbinhood ransomware, shutting down most of the city’s servers and forcing the city council to cancel meetings. The ransom note which contained an a la carte demand list asking for 3 bitcoins, about $17,600, to decrypt individual systems or 13 bitcoins, about $76,000, to decrypt all the city’s systems.

A week later, security firm Armor came across a tweet that may contain information gleaned from the Baltimore’s network.

Eric Sifford, a security researcher with Armor’s Threat Resistance Unit, found a tweet dated May 12 containing usernames, passwords and other possibly sensitive information that appears to be related to Baltimore. The company didn’t release the handle of the newly created account, but it did say in a blog the name contained the word Robbinhood, the name of the ransomware variant used in the attack.

Baltimore’s city council created the Committee on Cybersecurity and Emergency Preparedness to examine how the municipality dealt with the attack, but didn’t offer an ETA on when full services will be restored. The lone bright spot has been that the city’s emergency services sector was not hit.

The services affected include paying some utility bills, property taxes, real estate transactions and the city has been unable to pay some contractors for work completed.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.