Baltimore ransomware nightmare could last weeks more, with big consequences

Baltimore’s bill for ransomware: Over $18 million, so far

Enlarge / Baltimore City Hall, where the ransomware battle continues. (credit: Alex Wroblewski/Getty Images)

BALTIMORE—It has been a month since the City of Baltimore’s networks were brought to a standstill by ransomware. On Tuesday, Mayor Bernard “Jack” Young and his cabinet briefed press on the status of the cleanup, which the city’s director of finance has estimated will cost Baltimore $10 million—not including $8 million lost because of deferred or lost revenue while the city was unable to process payments. The recovery remains in its early stages, with less than a third of city employees issued new log-in credentials thus far and many city business functions restricted to paper-based workarounds.

“All city services remain open, and Baltimore is open for business,” Mayor Young said at the briefing, listing off critical services that had continued to function during the network outage. City Finance Director Henry Raymond called the current state of

Read the rest Continue Reading
Baltimore ransomware nightmare could last weeks more, with big consequences

Baltimore ransomware perp pinky-swears he didn’t use NSA exploit

Enlarge / Oh, Baltimore. (credit: Alex Wroblewski/Getty Images)

Over the past few weeks, a Twitter account that has since been confirmed by researchers to be that of the operator of the ransomware that took down Baltimore City’s networks May 4 has posted taunts of Baltimore City officials and documents demonstrating that at least some data was stolen from a city server. Those documents were posted in response to interactions I had with the ransomware operator in an attempt to confirm that the account was not a prank.

In their last post before the account was suspended by Twitter yesterday, the operator of the Robbinhood account (@robihkjn) answered my question, “Hey, so did you use EternalBlue or not?”:

absolutely not my friend

The account was shut down after its operator posted a profanity and racist-tinged final warning to Baltimore City Mayor Bernard “Jack” Young that he had until June 7 to

Read the rest Continue Reading
Eternally Blue: Baltimore City leaders blame NSA for ransomware attack

Eternally Blue: Baltimore City leaders blame NSA for ransomware attack

Enlarge / Baltimore: An IT disaster area? (credit: Cyndi Monaghan via Getty Images)

The mayor and city council president of Baltimore are pushing for the ransomware attack that brought Baltimore’s city government to a standstill to be designated a disaster, and officials are seeking federal aid to help pay for the cleanup from the RobbinHood malware’s damage. This call came after a New York Times report that the ransomware used the EternalBlue exploit developed by the National Security Agency to spread across the city’s network.

EternalBlue was part of a set of tools developed for the NSA’s Tailored Access Operations (TAO) group that were leaked by Shadow Brokers in 2017. The tool was then used two months later as part of WannaCry, the destructive cryptographic worm that affected thousands of computers worldwide. Shadow Brokers has been linked by some security experts to a Russian intelligence agency; WannaCry has been attributed

Read the rest Continue Reading
Trump gives Barr authority to declassify anything in campaign “spying” probe

Trump gives Barr authority to declassify anything in campaign “spying” probe

Enlarge / Trump’s memorandum to agency heads gives Attorney General William Barr authority to declassify or downgrade classification of anything he sees fit in his investigation into “intelligence activity” around the 2016 presidential election. (credit: Chip Somodevilla/Getty Images)

Late in the day on May 23, President Donald Trump signed a memorandum ordering the heads of the Departments of Defense, Energy, and Homeland Security, and the Directors of National Intelligence and the Central Intelligence Agency to give Attorney General William Barr unfettered access to information about “intelligence activities relating to the campaigns in the 2016 Presidential election and certain related matters.” The memorandum gives Barr the authority to declassify or downgrade the classification of any information he sees fit as part of the investigation.

Barr’s investigation is not into electoral interference by foreign actors during the 2016  presidential campaign, but rather into whether US law enforcement and intelligence illegally spied on

Read the rest Continue Reading
Stolen NSA hacking tools were used in the wild 14 months before Shadow Brokers leak

Stolen NSA hacking tools were used in the wild 14 months before Shadow Brokers leak

Enlarge / The National Security Agency headquarters in Fort Meade, Maryland. (credit: National Security Agency)

On of the most significant events in computer security came in April 2017, when a still-unidentified group calling itself the Shadow Brokers published a trove of the National Security Agency’s most coveted hacking tools. The leak and the subsequent repurposing of the exploits in the WannaCry and NotPetya worms that shut down computers worldwide made the theft arguably one of the NSA’s biggest operational mistakes ever.

On Monday, security firm Symantec reported that two of those advanced hacking tools were used against a host of targets starting in March 2016, fourteen months prior to the Shadow Brokers leak. An advanced persistent threat hacking group that Symantec has been tracking since 2010 somehow got access to a variant of the NSA-developed DoublePulsar backdoor and one of the Windows exploits the NSA used to remotely

Read the rest Continue Reading
Spot the not-Fed: A day at AvengerCon, the Army’s answer to hacker conferences

Spot the not-Fed: A day at AvengerCon, the Army’s answer to hacker conferences

Enlarge / Participants in AvengerCon III, held at the McGill Training Center at Fort Meade, Maryland, on November 27 take part in a lock pick village put on by TOOOL (The Open Organisation of Lockpickers). (credit: US Army)

FORT MEADE, Maryland—Late last year, I was invited to a relatively new hacker event in Maryland. Chris Eagle, a well-known researcher in the field of malware analysis and author of The IDA Pro Book, keynoted it. There were a number of really good talks at all levels of expertise, a couple of “Capture the Flag” (CTF) hacking challenges, and all the other typical hallmarks of a well-run hacker conference.

But this event, AvengerCon III, proved to be distinct in a number of ways from the BSides conferences and other events I’ve attended. The first difference was that keynote: Eagle, a senior lecturer at the Navy Postgraduate School, shared some news about

Read the rest Continue Reading