July 2, 2019
CBI Security Alert: Lessons Learned from the Baltimore Ransomware Attack

Team CBI is keeping a close eye on the status of the ransomware attack that’s taking place in Baltimore. It’s a tough situation with valuable lessons to be taken away for municipalities and enterprises alike.

In case you missed it, a still unidentified group of hackers breached the City of Baltimore’s IT infrastructure in a cyberattack using ransomware known as, “RobbinHood,” which leverages the NSA-developed EternalBlue exploit. The attack has left key functions like email, phone, online payment and all other digital civic services at a complete standstill for the past couple weeks while the hackers control the city’s systems.

The hackers have demanded payment of 13 Bitcoins, currently valued at well over $100,000, to relinquish control of Baltimore’s networks. City of Baltimore officials however refuse to negotiate with the hackers, instead implementing manual workarounds that will take unknown time and taxpayer cost to complete. The situation in Baltimore has become so dire that city officials are imploring Maryland Governor Larry Hogan to declare the situation an emergency qualifying for federal disaster relief funding.

To Pay, Or Not To Pay?

While the decision not to engage or negotiate with the hackers is potentially admirable in spirit, the city of Baltimore does so from a weak bargaining position that leaves them vulnerable and leaves citizens on the hook for the cost of repairs. No one wants to negotiate with the enemy or give in to a bully. But will one or two cities refusing to pay this kind of ransom put the bad guys out of business? No way.

The bottom line is that these attacks will continue to prevail, and it is highly likely that we will continue to see a higher percentage of people paying the ransom than those that don’t. With that in mind, our recommendations and best practices revolve around preventing such ransomware attacks from happening in the first place and mitigating the impact if one does occur.

Baltimore Ransomware

Lessons Learned And Recommendations

Contingency Planning

There is so much that needs to be factored in to this type of negotiation decision. How critical is the data, how would human lives be impacted, could the organization go out of business, does the ransomware group we’re dealing with consistently provide the decryption key after payment? Companies need to anticipate these questions and have a plan already in place in the event of an outbreak.


Backups are a critical defense measure against ransomware. It is imperative to make sure your backups are not only configured and segmented properly, but also thoroughly tested through exhaustive restoration testing processes.


The Baltimore attack is similar to a Samsam cyberattack executed against the city of Atlanta in 2018. That attack cost the city of Atlanta approximately $17 million to recover control and get back online. A critical difference however is that the city of Atlanta had an insurance policy in place to cover the costs of such an attack, while Baltimore does not. An insurance policy takes the burden of recovery off the shoulders of taxpayers or other key constituents.


CBI also recommends to many of our customers that they have a ransomware escrow setup. That could alleviate the problems most companies face when they get hit, i.e., how much are they willing to part with to get their files back if they need to pay the ransom? By establishing a maximum escrow/ransom payment, it makes the decision easier on what to do, when it happens.

Incident Response Readiness Assessments

While these are all great response measures, it’s best to cut off a ransomware attack before it strikes. Find a trusted cybersecurity company like CBI that conducts Incident Response Readiness Assessments. These assessments are designed to help customers evaluate their current capabilities and to enhance the overall program to better respond to probable attack vectors. Ransomware is usually always one of the scenarios established and tested during the tabletop exercise phase of this assessment.

About the Author
CBI, A Converge Company
CBI Cybersecurity
CBI, A Converge Company, is a leading cybersecurity advisor to many of the world’s top tier organizations. Founded in 1991, CBI provides innovate, flexible and customizable solutions that help ensure data is secure, compliant and available. We engage in an advisory-led approach to safeguard our clients against the ever-changing threat landscape—giving them comprehensive visibility into their entire security program and helping them avoid cyber challenges before they can impact their data, business and brand. We are dedicated to the relentless pursuit of mitigating risks and elevating corporate security for a multitude of industries and companies of all sizes.
I Need To...