Baltimore anticipates 90 percent recovery from ransomware by week’s end

Baltimore officials say the city is steadily recovering from the May 7 cyberattack by the RobbinHood virus, sticking to an estimate of $18 million in damages.
Getty Images

Baltimore officials said Tuesday that the city’s 10,000 municipal employees are gradually regaining access to their government email accounts in the wake of a ransomware attack, with as many as 90 percent getting back online by the end of the week.

Sheryl Goldstein, a deputy chief of staff to Mayor Bernard C. “Jack” Young, said during a city hall press conference that the Baltimore City Office of Information and Technology has made a “big push” in the past week to rebuild servers and issue new credentials to the city’s workforce as it continues to repair the damage caused by the RobbinHood virus, which infected city systems May 7, encrypting computers and servers unless officials paid a 13 bitcoin bounty.

Goldstein also said BCIT’s workforce is split into two functions in addressing the ransomware attack. One team is focused on the forensic investigation of how the malware entered the city’s networks and how widely it spread. She said the city is working with outside cybersecurity experts and the federal government, though on Monday U.S. Sen. Chris Van Hollen, a Maryland Democrat, said Baltimore should “more fully” engage the Department of Homeland Security as it investigates the cyberattack.

The rest of BCIT is working on the recovery, Goldstein said, including the re-authentication of city employees to access their email accounts and other restored applications. When asked by a reporter why Baltimore Chief Information Officer Frank Johnson was not at the press conference, Goldstein said “he’s working.”


But despite the progress, many of Baltimore’s digital services remain offline, including the processing of real-estate transactions and billing for city-owned utilities. The city has resorted to issuing paper liens to get home sales moving again, and the city’s public works director said Wednesday that while his department cannot issue or receive water bills online, residential water meters are continuing to take readings.

Baltimore officials are also sticking to an estimate that the total cost of the RobbinHood attack could top $18 million, the city’s finance director, Henry J. Raymond, said Tuesday. About $10 million of that sum will cover replacement hardware and software and additional personnel, with the remainder coming from lost or delayed revenue. But Raymond said the cash-strapped city will be able to weather the costs.

While far from ideal the situation has been manageable,” he said. “We do not foresee any impact on our 2020 budget.”

One reporter, citing the $18 million figure, asked Goldstein why the city does not consider paying the ransom — currently about $104,000 — as some businesses affected by ransomware do. Goldstein deferred to the advice Baltimore has received from federal authorities, who as a rule tell ransomware victims not to pay up.

“The data shows you have less than a 50-50 chance of getting your data back if you pay the ransom,” she said. “In addition, the long-term issue is how the city moves forward to protect its IT infrastructure.”


The Baltimore officials on Tuesday did not bring up the disputed reporting that a leaked National Security Agency exploit known as EternalBlue was used in the Baltimore attack. Since the New York Times reported May 25 that EternalBlue was used to spread the RobbinHood malware across Baltimore’s systems, federal officials and lawmakers have said otherwise, including Van Hollen and fellow Maryland Democrat Rep. Dutch Ruppersberger.

“It’s the federal government’s view that EternalBlue was not involved in the ransomware attack in Baltimore City,” Van Hollen told CyberScoop on Monday following an NSA briefing on Capitol Hill.

Maryland’s congressional delegation also put out a joint statement Tuesday warning against speculation about the ransomware incident.

“We are all concerned about the reported leak of cyber tools and the potential for serious damage to American cities and companies,” the statement read. “When it comes to the ransomware attack in Baltimore, we all want to know, ‘who’ and ‘how. Yesterday, we heard that current evidence suggests the city’s network was infected via a phishing effort by malware known as RobbinHood. We urge against further speculation until the investigation is complete and look forward to sharing more as we learn more. We are grateful for the FBI’s ongoing efforts and plan to fully engage with DHS to strengthen systems in Baltimore and across the country to keep this from happening in the future.”

Benjamin Freed

Written by Benjamin Freed

Benjamin Freed was the managing editor of StateScoop and EdScoop, covering cybersecurity issues affecting state and local governments across the country. He wrote extensively about ransomware, election security and the federal government’s role in assisting states and cities with information security.

Latest Podcasts