Monday, June 03, 2019

Bitcoin-Enabled Ransomware Attack Strikes Baltimore

Last month, the city of Baltimore became the latest target of a ransomware attack.  The city's Microsoft operating systems were held hostage by a group that demanded 13 bitcoins, which at the present rate of exchange is about $100,000.  Despite their inability to repair all the damage after nearly a month, Baltimore administrators refuse to pay the ransom, and instead have asked the federal government for help.  According to some sources, the malware used for the attack was developed at the U. S. government's National Security Agency (NSA), and somehow it leaked and was posted by a group of hackers in 2017. 

Irony is usually found more in literature than in engineering, but this incident is particularly rich in them. 

The first irony is that a cyberweapon presumably developed to be used by the United States against its enemies was stolen, published worldwide, and used instead to attack the infrastructure of a major U. S. city. 

The second irony is that an idea traceable back to 1991, a chain of blocks developed originally just to prevent software timestamps from being tampered with, has turned into a means by which ransoms can be paid with no realistic hope of tracing where the money goes. 

And the third irony is that some eyebrows are being raised by the fact that the city of Baltimore is asking for help from the federal government. 

Let's do a little thought experiment and set the essential ingredients of this incident in an alternate universe which is just like ours, except there's no computer networks and so on.  Suppose a gang of paratroopers landed in Baltimore and made their way to the city offices, holding employees at gunpoint while they absconded with tons of files and records in a heavily armored vehicle.  Then the mayor received a ransom note demanding $100,000 for the return of the records.  Not only would a nationwide manhunt be mounted for these criminals, but the FBI and other federal agencies would get involved as a matter of course. 

But simply because the records and functions involved are on computers and not physical documents, attitudes and actions are vastly different here.  Now, admittedly some blame can be attached to those responsible for running Baltimore's IT systems.  Microsoft evidently does a fairly good job of sending out patches and updates in response to new viruses and malware, but these patches have to be implemented in a systematic and organized way.  And in the case of Baltimore's systems, this was not done.  In the world of our thought experiment, this amounts to not having enough armed guards surrounding your municipal buildings to fight off the attackers. 
While a certain amount of security is to be expected, nobody wants to have to do the equivalent of breaking into Ft. Knox in order to pay your city water bill. 

While I am not usually in favor of greater centralization of power and resources, in this case I think it is only fair for the federal government to help out Baltimore in their hour of need.  For one thing, the NSA never should have let its malware escape in the first place.  It would seem to be a fairly straightforward investigation to discover who was responsible.  But the NSA's workings are deliberately opaque and poorly supervised even by Congress, who pays the bills, and that sort of setup is an open invitation to laxity and inefficiency.  Perhaps this leak represents only 0.001% of everything that NSA has developed, most of which is still secret.  But in situations like this, even one leak can be too many.

As for bitcoins being used for ransomware payment, it makes a certain amount of perverse sense that a form of currency inspired by hyper-libertarianism is used mainly for two things nowadays:  speculation and illegal transactions.  It is an ill wind that blows nobody good, and bitcoins have benefited some people.  I may have mentioned a student of mine who managed to buy some bitcoins only a few years after they came out in 2009.  I don't know exactly what she paid, but by the time she graduated I think she had been able to pay for her entire college education with her profit in bitcoins. 

But is this advantage worth the social cost of having a virtually foolproof way of laundering money?  I leave that for the reader to decide.  It doesn't matter now, because bitcoins and their offspring are a permanent part of the cyberlandscape now. 

Perhaps the most troubling aspect of the Baltimore situation is the complete anonymity of the attackers, who could be, and probably are, anywhere in the world outside of the United States.  Prior to the Internet, the most significant threat the U. S. endured from outside its borders was the threat of intercontinental ballistic missiles carrying nuclear warheads, and billions of dollars were spent in an arms race that is in some ways still with us.  But now that anyone with sufficient skills can mount attacks on specific geographic entities in the heartland of the U. S. from halfway around the world, we still act as though it's just some sort of defect in a strictly local pile of computer networks, and treat the attackers much like an act of God—something that's always going to happen sooner or later, so you might as well just buy insurance and be ready when it happens.

Maybe that's the best approach.  Baltimore, as it turns out, did not have cyberinsurance, but the bond underwriters will soon see to that  So in the future we will go armed not with guards, but with insurance policies to buy experts who come in and fix our computer systems, just like roofers replaced my roof after a recent hailstorm this spring.  Complexity begets complexity, and if Baltimore and other cities consistently refuse to pay ransomware demands, perhaps the criminals will devise some other way to make ill-gotten gains.  I can hardly wait to see what they'll do next.  (That's irony, by the way.)

Sources:  I referred to articles at and the website at, as well as the Wikipedia articles "blockchain" and "bitcoin." 

No comments:

Post a Comment