Chokehold on Baltimore: malware

Imagine being locked out of your files. It's a nightmare! By now, ransomware has outstripped viruses and other malware. Ransomware offers a straightforward means of blackmailing victims and, if you don't pay, you'll never get your files back. That's enough to make end-users break out in a sweat. But it's not just end-users but also small city administrations, schools, government authorities and hospitals that are being targeted. Latest victim: the city of Baltimore. And once again, the NSA is somewhat involved too (even though they likely won't have a bad conscience) because, guess what, they supplied the tool.

When cities roll with the times, we all benefit. Whether we're checking opening hours online, make appointments, ask questions via email or download PDFs for printing, online connectivity is usually a good thing. But this openness is not without danger. Contact with citizens through multiple channels means multiple attack vectors, including malware-infested emails opened by clueless civil servants. That's exactly what happened on May 6th, when Ransomware ate its way through thousands of computers of Baltimore's city administration, rendering important files inaccessible. The malware then spread from PR to other departments, until staff members took thousands of PCs of the network. It was already too late! According to present knowledge, the city of Baltimore can now either pay the ransom or reinstall all affected PCs – and live with any data loss incurred. At present, it is fairly unlikely the files can be decrypted through other means.

That's why the city of Baltimore's website currently states that email communication is no longer possible. It's back to good old telephones for them. More importantly, e-payment options are also highly limited, meaning the city has to settle its utility bills the old-fashioned way! The blackmailers are not only threatening to keep the affected files locked but also to delete them completely. So far, no ransom has been paid, which is also what the FBI recommends. There's no guarantee that the files would become usable again or that the malware would completely disappear from the affected machines. Once you give in to extortion, you'll always be a target! Then, there's a moral component: Should governments negotiate with extortionists – and make their crimes worthwhile?

Notice on the city of Baltimore's website

Naturally, blackmailers want to get paid but avoid capture at the same time. That's why they rely on cryptocurrencies. The ransom for Baltimore's files currently amounts to 13 Bitcoins, roughly equaling $100,000, not a huge amount compared to what large companies generate. Maybe, they've checked the city's financial standing beforehand. Still, ransom fees frequently go up as time progresses, with a believed $10,000 increase per day. At least, the attackers offer an installment plan – it doesn't happen every day that you come across such accommodating criminals. And they also seem to be having a sense of humor. After their initial "We won’t talk more, all we know is MONEY!", they entered into a dialog with the city administration promising to take data protection very seriously. This would brink a smirk to my face, if only it wasn't an entire city that is affected.

Others have paid and regained access to their files. Some victims, like the city of Greenville in North Carolina, took the opportunity to rebuilt their entire IT infrastructure. Good idea, since most communities are still running on hopelessly outdated and poorly maintained hardware. Easy pickings for the "Shadow Brokers", as the attackers call themselves. Who exactly had a hand in this is still unclear, but there are the usual (unconfirmed) suspects, i.e. Iran, Russia, China and North Korea. The "New York Times" cited unnamed security experts who believe the software used in the attack to have been developed by the NSA, the "Tailored Access Operations" group (T.A.O.) , to be precise. Dubbed "EnternalBlue", it exploited a security vulnerability in Windows to break into PCs. After five years of "successful operation", the software leaked to the Internet in April 2017 and founds its way into the hands of hackers. Now, the US are being blackmailed with the help of their own tools. Oh the irony.

So is there no hope against EternalBlue? Believe it or not, you're most likely in the clear. Microsoft already issued a patch for the vulnerability two years ago and it's likely installed on the majority of end-user PCs. Security services had graciously informed Microsoft of the risk after just five years. What a noble gesture! This means, all presently affected PCs have not been updated for two years straight. I'd surely love to have a word with the admins in charge! By the way, the NSA declined to comment or assume a scintilla of responsibility, even though the hacks cost taxpayers millions in 2018 alone with no end in sight for 2019.

Whichever way the crisis in Baltimore will play out, it should give us pause. How can a government institution keep a massive security risk that affects all Windows users under wraps for five years? Why, after two years, is there still no binding policy to stamp out this vulnerability on all publicly accessible network PCs? Vulnerabilities are still being marketed to intelligence agencies in the dark corners of the web and buyers have little to no incentive to disclose them. Does the need to gain intelligence outweigh the security needs of the general public? We'll see what happens once other state-approved hacking tools fall into the wrong hands!

What I would like to know: What do you think about the NSA's practices? Is it okay to keep massive security risks a secret in the interest of intelligence?