Chinks in the armour

Public facing systems around the world must tighten security and put together disaster recovery plans

Baltimore in Maryland, USA, is becoming a test case for cyber-ransom. The Baltimore municipality has a population of about 600,000 and it’s the hub of a metropolitan conglomeration of 2.8 million. On May 7, hackers took control of municipal computer systems. They seized control of 10,000-odd municipal computers and encrypted access to the servers. 

Hence, government email systems are down, payments to the city departments can’t be made except by cash, real estate transactions, birth and death certificates, and so on, can’t be processed. The city has been forced to resort to paper transactions to keep municipal services running. 

The hackers demanded 13 bitcoin — worth roughly $100,000 — to give the city access via a digital key that will unlock three key servers. Since the municipality has refused to pay on principle, it will take millions to get systems up and running again and of course, the disruption has caused massive loss as well. 

This is the 20th detected cyber-ransom attack on municipal systems in the US alone, in 2019. Baltimore was hit earlier, in March 2018 by an attack, which knocked the 911 emergency responses offline for a day. That same month, Atlanta, Georgia, suffered losses of $17 million and took several months to recover from a cyber-attack. 

The concept is simple. The hackers enter a network, and encrypt data on it. They may use various means to gain access, and various types of programmes to do this. Then, they ask for money (payable in bitcoin, or some other cryptocurrency) to decrypt the network. 

The victim must take a call on the costs of reloading from scratch, versus paying up, (assuming the attacker will decrypt the data). If there’s a disaster recovery plan in place, with full backups, it may be possible to ignore the cyber-attack. But that in itself costs money. 

Initially, cyber ransom attacks focussed on businesses and any business is of course, still at risk. But hitting a municipality, or some other public service, has become much more popular. There are several reasons while municipalities are tempting and soft targets. 

Businesses often have high security and backups in place. Municipal systems are, by definition, designed to interface with the public and usually have lower security. They are often accessible from thousands of machines used by under-trained clerical staff. Gaining access is easier. It’s hugely politically embarrassing for a municipal system providing critical services, to be knocked offline. This makes payoffs more likely.  

Encrypting is a relatively easy task. It is gaining access that’s difficult. Encryption utilities often come pre-loaded with modern operating systems, for the legitimate user’s security and privacy. It’s also possible to create malware that does the job. It may be plain impossible to decrypt data locked up with a well-designed encryption programme. 

Baltimore has been hit by “RobbinHood”, which encrypts servers running a system and require a digital key to access the servers. RobbinHood uses a combination of public and private keys to do the encryption. The user receives a message with details of how to contact hackers for payment, and decryption “services”. Bitcoin-style crypto currencies are hard to trace and easily converted into multiple currencies. 

In Baltimore’s case, the hackers threatened to escalate the demand by $10,000 for every additional day and also claimed data would be unrecoverable after 10 days. That deadline has long passed. The city will have to rebuild networks and figure out how malware was introduced.

There’s a lesson here for municipalities around the world. Not only must security be tightened. Disaster recovery plans must be introduced as well, as a contingency measure. Public facing systems, accessed by millions, will inevitably have gaps in security.