Ashley Merson has been scrimping and saving for a house for four years. She paid off her debts, got her credit score up and finally was able to make an offer on a two-bedroom duplex house in Hampden -- and more than ready to leave her low-income apartment complex, where she, her young son and disabled brother squeeze into a one-bedroom.
But just as she was about to settle on that house, malware attacks on Baltimore City’s computer servers locked up the system, leaving her stuck in the apartment.
“The process of buying a house is so long and tedious anyway,” Merson, a 31-year-old nanny, said outside the Hampden home. “Waiting is tough.”
On May 7, hackers breached city servers with ransomware, making its digital content inaccessible. They demanded 13 Bitcoins -- worth around $100,000 today -- to relinquish their grip. Mayor Jack Young refuses to pay. The FBI and Secret Service are investigating, and the city has contracted with a series of experts to assist in restoring service.
But cybersecurity experts say it likely will take months for the city to recover.
In the meantime, the digital aspects of running the city remain at an impasse. Government emails are down, payments to city departments can’t be made online and real estate transactions can’t be processed.
People who are closing on Baltimore homes, like Merson, need the city’s lien system to confirm their potential properties have no outstanding debts and to officially confirm new deeds.
“As a result, there are no real property transactions being conducted in the city,” Finance Director Henry Raymond said during a news conference on Wednesday.
Until the system is restored or an alternative is provided, Merson can’t formally close on the unoccupied house she’s had under contract for more than a month -- meaning she’s stuck in her apartment.
Raymond has said that he hopes to have an alternative provided by late next week, but promised “no guarantees.” The Greater Baltimore Board of Realtors provided more specific details in a statement Wednesday, which said technicians have “determined the root of the problem in the data system compromised by the ransomware attack” and are working to restore it.
“The application of this remediation is truly untested waters,” GBBR’s statement cautioned.
Baltimore is not the only city to fall victim to malware attacks. This year alone, at least 21 municipalities and the Cleveland Airport have been attacked. The city of Atlanta was attacked with ransomware in March 2018 -- its digital civic services similarly ground to a halt.
The Atlanta Constitution-Journal reported it cost the city $17 million to recover.
Baltimore officials have hired experts to assist with service restoration. Citing the private nature of ongoing FBI investigations, officials have declined to identify those contractors. City Council President Brandon Scott founded a committee devoted to cybersecurity and emergency preparation, with Councilmen Eric Costello and Isaac “Yitzy” Schleifer serving as co-chairmen.
"I am not able to provide you with an exact timeline on when all systems will be restored," Mayor Young said in a Friday afternoon statement.
"Like any large enterprise, we have thousands of systems and applications. Our focus is getting critical services back online, and doing so in a manner that ensures we keep security as one of our top priorities throughout this process," his statement continued. "You may see partial services beginning to restore within a matter of weeks, while some of our more intricate systems may take months in the recovery process. "
City solicitor Andre Davis has said Baltimore officials have turned to their peers in Atlanta for advice on how to deal with the ongoing disruptions.
“I think the Atlanta attack of a year ago should have been an alarm for many other cities,” said Avi Rubin, a Johns Hopkins computer science professor and cybersecurity expert. “All you need is one link in the chain and that's what the attackers will go after.”
Links include vulnerabilities like old hardware and old software – both of which the city was using, Rubin said.
Rubin is also the director of the Health and Medical Security Lab at the university. When malware attacks became more common a few years ago, hospitals were hackers’ favorite targets -- medical records are very valuable and are time-sensitive because they are needed in order to treat patients.
Hospitals responded quickly to the threat of malware by bolstering cybersecurity, Rubin says, and are largely no longer affected by bad actors.
“However,” he said, “the city of Baltimore, like many local governments, was not at all prepared for something like this. And if it's never happened, it's only natural to say, ‘well, this type of thing has never happened before, so why should we spend a lot of money on it?’ ”
Rubin paints a grim picture of the depth of the cyberattack on Baltimore -- it’s “possibly the worst case scenario,” he said. “This is not something that's going to go away overnight or in a week. Five years from now this will be a bad memory hopefully. But I think in the next few months we're going to be dealing with this.”
That’s because RobinHood, the malware affecting the city, is deeply malicious.
Imagine if a group of masked thieves broke into City Hall and every other city department, and proceeded to load every single piece of data – documents like pending housing permits and deeds -- into boxes. Imagine they locked those boxes in a warehouse impenetrable without a unique key.
That’s the equivalent of what the RobinHood malware did to city servers, Rubin said.
“The data is encrypted,” he said. “It's encrypted with a cryptographic key, which is a software element. Without that key, you cannot get this data.”
And replicating that key without the hackers is impossible, says Rubin, who has testified about his field before Congress.
“I don't even think that the NSA would be able to break this algorithm,” he said. “It’s believed by the cryptographic community, both the theoreticians as well as the practitioners, to be unbreakable by today's technologies.”
Rubin agrees with Mayor Young’s decision not to pay the ransom for that key.
If no one attacked by malware paid the ransom, “these attacks would just completely go away,” he said.
Unfortunately, Rubin said, many private companies do quietly pay, which has encouraged hackers to keep up ransomware attacks.
One analysis from CyberEdge found that 45 percent of organizations hit with ransomware end up paying a ransom. Another from RecordedFuture found that at least 17 percent of state and local government entities pay.
With no key, Rubin said the city will have to build its servers from the ground up. That process will likely take months, he said, and will involve implementing new hardware and software and restoring any data the city may have backed up.
It’s unclear just how much data the city had backed up before the attack. Officials have said that the city does have some of its data backed up to a cloud. City Solicitor Andre Davis said at a news conference the law department has uploaded “not 100 percent” of its data to a cloud.
Technicians are combing through what data has been backed up to ensure the backups aren’t infected with Robinhood before they bring some systems back online.
Rubin said he doesn’t blame the cash-strapped city for spending money to prepare for cyberattacks of RobinHood’s magnitude. But it’s both easy and affordable, he said, for the city to have daily, hourly, or even backups every minute to a cloud service.
The possibility of losing a significant chunk of data because it was not backed up is “unconscionable,” he said.
Not being able to access city data has real-life implications for people like Merson, who also does not fault anyone in city government for failing to prevent the RobinHood attack. That doesn’t stop her from feeling frustrated that the city didn’t have a response plan to let would-be homebuyers like her carry on without delays.
“The fact that you have a completely unsustainable computer system with no plan in place for when something like this happens after watching it happen to countless other cities -- it's frustrating and disappointing,” Merson said.
The rent at her apartment complex will increase significantly “sometime in the near future,” she said.
If that happens while her family is stuck in limbo, Merson said, “then it's just going to be pretty crappy situation.”