‘RobbinHood’ ransomware knocks out city services in Baltimore

Email and phone lines at some agencies have been shut down, and the city has turned off other servers as it investigates.
Getty Images

Officials in Baltimore said Tuesday the city was the victim of a ransomware attack that has knocked out several services, including municipal employees’ emails, phone lines and online bill payments. Mayor Bernard C. “Jack” Young said the city has also shut down the majority of its computer servers “out of an abundance of caution.”

The city’s Department of Public Works noted the email outage shortly before 9 a.m., when it tweeted that its server was down.

Four hours later, the department said its customer support phone lines were out of service, cutting off its ability to field calls about water bills. It also lost the ability to process payments by its customers in both the city of Baltimore and surrounding Baltimore County


Employees from the city’s finance department stationed themselves outside Baltimore’s main municipal office building to inform residents in person about the technical outages. The city has also temporarily waived late fees on water bills that are currently unable to be paid.

The incident marks the second time in as many years that Baltimore has fallen prey to a cyberattack. The city’s 911 and 311 systems were hacked in March 2018, forcing dispatchers to take manual notes on emergency calls for several days.

Baltimore officials said Tuesday that 911, 311 and public safety agencies were not affected by this latest incident. The city also said no personal data has been compromised. Dave Fitz, a spokesman for the FBI’s Baltimore field office, told StateScoop the bureau’s Cyber Division is assisting the city in its response to the cyberattack, but declined to provide any additional details on the investigation.

Lester Davis, a spokesman for Young, told the Baltimore Sun that officials had identified the malware responsible for the attack as RobbinHood, a newer ransomware variant that hit the city of Greenville, North Carolina, last month. Davis and other officials could not be reached for additional comment.

Security researchers have still not figured out how RobbinHood penetrates a network or from where it originates. According to Bleeping Computer, it typically leaves a ransom note informing the victim its network has been encrypted using an RSA algorithm. It then demands a payment of either 3 bitcoins to regain access to each affected system or 13 bitcoins — about $76,531 as of this writing — for the entire network, but that the penalty will increase by $10,000 daily after the third day the ransom is not paid.


According to the Sun, Baltimore officials found a note on their network Tuesday morning that was written in broken English and worded rather aggressively: “Hurry up! Tik Tak, Tik Tak, Tik Tak!”

Benjamin Freed

Written by Benjamin Freed

Benjamin Freed was the managing editor of StateScoop and EdScoop, covering cybersecurity issues affecting state and local governments across the country. He wrote extensively about ransomware, election security and the federal government’s role in assisting states and cities with information security.

Latest Podcasts