For three weeks now, the computers at Baltimore’s city administration have been held as virtual hostages. They have been infected with ransomware that relies on the “EternalBlue” malware developed by US military intelligence service the NSA.
The extortionists are demanding a ransom of 13 bitcoins, which converts into roughly 100,000 dollars and which Baltimore is unwilling to pay. Consequently, numerous public services are currently not being provided as usual. And Baltimore is not alone. A recent article published in the New York Times last weekend reports that Allentown, Pennsylvania, and the Texan city San Antonio are among other cities that have already come under attack by means of EternalBlue.
In local governments, networks have grown organically, meaning that they tend to become tangled, while software is also often out of date. As a result, hacking weaponry such as the NSA tools dumped on the web in 2017 by the Shadow Brokers (a group whose members remain totally anonymous) makes it more than easy to infect targets – despite the fact that patches have long since been made available by software producers like Microsoft to cover the exploited vulnerabilities.
“It’s incredible that a tool which was used by intelligence services is now publicly available and so widely used,” complained Vikram Thakur, Director of Security Response at Symantec. Matthew Leibert – CIO at the city of Allentown, which was hit hard in February last year – described the malware used to attack his computers as “commodity malware”, bought on the dark web by cybercriminals who often don’t have a specific target in mind. “There are warehouses of kids overseas firing off phishing emails,” Mr. Leibert said, comparing the situation with criminals shooting military-grade weapons at random targets.
Although EternalBlue does not spread itself by way of email (rather via an outdated version of the SMB net protocol), phishing emails often enough serve as gateways for this and other similar malware to infect systems. That’s why these days it’s absolutely crucial to safeguard your email infrastructure as securely as possible – for instance using Retarus Email Security including ATP and our patented Postdelivery Protection. Of course, one always needs to make sure that all software remains totally up to date by installing patches as soon as they have been released and last, but not least, sensitizing users about handling their electronic mail with awareness and good sense.
Update from June 5, 2019: The Baltimore blackmailer has announced via a Twitter account (which has since been suspended) that he did not use EternalBlue, according to «Ars Technica». The allegation cannot be verified at this stage.