The Baltimore City Council’s budget committee approved $10 million in spending Thursday to cover the ongoing costs of the city’s recovery from a ransomware attack that disabled IT systems throughout the city government. The unanimous vote represented the first step in paying the bills associated with regaining access to encrypted files and upgrading compromised computers in the wake of a cyberattack that has hamstrung the city’s operations since early May.
Baltimore has been gradually rebuilding its networks and applications since May 7, when it was infected with the ransomware virus known as RobbinHood, which knocked out several services, including city employees’ emails, phone lines, online payments and billing from municipally owned utilities. While email and phone systems were restored within a month of the initial infection, billing and online payments have only started to creep back to life in the last few weeks. On Wednesday, Baltimore residents started receiving reminders that their August water bills will include charges for the months missed due to the ransomware incident.
The full council is expected to approve the $10 million outlay next month, though more than half of that sum has already been spent on cybersecurity consultants, new equipment and staff overtime, according to a fact sheet on the city’s website. Of the money spent so far, $2.8 million has gone to six technology firms, including Microsoft and FireEye, which dispatched consultants to conduct forensic analyses and assist in the “hardening overall and overall protection” of the city’s IT infrastructure. The city has also spent $1.9 million on new hardware and software to replace systems impacted by the attack.
While the council is ready to approve $10 million in new IT costs, the city has pegged the full cost of the attack at $18 million when lost revenue is factored in. The hackers behind the RobbinHood malware had demanded payment of 13 bitcoins — about $76,000 at the time of the attack — which Baltimore’s leaders refused to pay. The city’s fact sheet explains that it was advised to refuse to pay the ransom, but that even if it did, it would still have to make significant expenditures to secure its computing environment.
“First, we were advised by both the FBI and Secret Service not to pay the ransom,” the fact sheet states. “Second, that is not how the City of Baltimore operates; we do not reward criminal behavior. Also, paying the ransom does not make the recovery process cheaper or faster. Ultimately, we would still have to take all the steps we have taken to ensure a safe and secure environment.”
Baltimore officials had been warned years before the ransomware incident that the city’s aging IT was a “natural target” for a cyberattack. But even as of May, the city’s IT department did not have a disaster response plan to deal with an incident like the RobbinHood virus, Baltimore Chief Information Officer Frank Johnson admitted to the budget committee Thursday, the Baltimore Sun reported. Johnson told council members it could take at least nine months to draw up a formalized plan.