Baltimore’s bill for ransomware: Over $18 million, so far

Baltimore City Hall, where the ransomware battle continues.
Enlarge / Baltimore City Hall, where the ransomware battle continues.
Alex Wroblewski/Getty Images

BALTIMORE—It has been a month since the City of Baltimore’s networks were brought to a standstill by ransomware. On Tuesday, Mayor Bernard “Jack” Young and his cabinet briefed press on the status of the cleanup, which the city’s director of finance has estimated will cost Baltimore $10 million—not including $8 million lost because of deferred or lost revenue while the city was unable to process payments. The recovery remains in its early stages, with less than a third of city employees issued new log-in credentials thus far and many city business functions restricted to paper-based workarounds.

“All city services remain open, and Baltimore is open for business,” Mayor Young said at the briefing, listing off critical services that had continued to function during the network outage. City Finance Director Henry Raymond called the current state of systems “not ideal, but manageable”—some emails and phone services have been restored, and many systems have remained online, but payment processing systems and other tools used to handle transactions with the city remain in manual workaround mode. Department of Public Works Director Rudy Chow warned residents to expect a larger-than-normal water bill in the future, as the city’s smart meters and water billing system are still offline and bills cannot be generated.

Parking tickets and tickets generated by the city’s speed and red light cameras can be paid in person if the ticket is in hand. The city has regained the data for all parking and camera-generated violations up to May 4, but it still lacks the ability to look up violations without the physical paper ticket or process payments electronically, city officials said. And the same is true for many other interactions with the city, which currently require mailing or hand-delivering paper documents and manual workarounds.

City employees are being required to report in person to receive new network and email credentials, presenting a city ID before being allowed to get new passwords. With more than 10,000 city employees needing to go through the process and scattered at offices around the city, the mayor’s deputy chief of staff for operations, Sheryl Goldstein, said that despite it being a time-intensive process, Baltimore City’s Office of Information Technology (BCIT) was working around the clock to make it happen. “It’s been a big push since last week, re-authenticating users,” she said, adding that most city employees should have their login credentials reset by the end of this week.

Writing it off

Despite the growing bill that comes with recovery, Goldstein noted that the city had been discouraged from paying the approximately $70,000 ransom by the Federal Bureau of Investigation. “Even if you pay, you still have to go into your system and make sure they’re out of it,” he said. “You can’t just bring it back up and believe they are gone… we would bear much of these costs regardless.”

According to city officials, Baltimore’s IT organization has already purchased more than $1 million in new hardware from Dell under an existing contract. And using a provisional staffing contract, the city has begun to bring in temporary workers to help in malware cleanup. It’s not clear whether the cost of that labor has been fully accounted for in the $10 million Raymond said would be spent on the cleanup itself.

Some of those temporary workers making up the city’s “recovery team” reported for duty on Monday. That effort is running in parallel with the forensic efforts of BCIT, the FBI, and consultants brought in by the city—many of them under emergency contracts that have not yet been made public through the city’s purchasing department and Board of Estimates. Forensic analysis, Goldstein said, may take months, and then the city will review with the FBI and others what can be publicly disclosed about the attack given it is now tied to a federal criminal investigation.

Additionally, there was no mention of other potential hidden costs the city might face as a result of the data breach connected to the ransomware attack. As Ars reported, a Twitter account connected to the ransomware operator posted documents taken from a Baltimore City file server as proof of compromise, including documents from ongoing lawsuits against the city. These documents included personal identifying data, health data, and other sensitive information. That cost could end up being substantial down the road, though the cost may be born by citizens themselves, in the form of identity theft and other fraud.

Based on a study by the secure collaboration service provider Egnyte, the cost associated with a data breach is, on average, $148 per lost record. Kris Lahiri, Co-Founder & Chief Information Security Officer of Egnyte. said, “While it is hard to pinpoint an exact cost without knowing more details about their data set, we do know that Baltimore has a population of over 600,000, so if even 25% of their records were breached, that would carry a cost of $22 million – well over the estimated $10 million.”  And some of that cost could be from intangibles related to the breach, such as a loss of trust in the organization. So far, the breach has not affected the city’s bond rating or lending costs.

There’s been no further word on whether the city or Maryland Governor Larry Hogan have officially requested the federal government to provide disaster assistance to help pay for the ransomware cleanup. Baltimore City Council President Brandon Scott, who will chair a committee reviewing the ransomware incident, published a statement last week calling for the governor to declare a disaster and request funding.

https://arstechnica.com/?p=1517119