Ransomware isn’t just a big city problem

Ransomware isn’t just a big city problem

This month, one ransomware story has been making a lot of waves: the attack on Baltimore city networks. This attack has been receiving more press than normal, which could be due to the actions taken (or not taken) by the city government, as well as rumors about the ransomware infection mechanism.

Regardless, the Baltimore story inspired us to investigate other cities in the United States, identifying which have had the most detections of ransomware this year. While we did pinpoint numerous cities whose organizations had serious ransomware problems, Baltimore, nor any of the other high-profile city attacks, such as Atlanta or Greenville, was not one of them. This follows a trend of increasing ransomware infections on organizational networks that we’ve been watching for a while now.

To curb this, we are providing our readers with a guide on how to not only avoid being hit with ransomware, but deal with the ransomware fallout. Basically, this is a guide on how not to be the next Baltimore. While many of these attacks are targeted, cybercriminals are opportunistic—if they see an organization has vulnerabilities, they will swoop in and do as much damage as they can. And ransomware is about as damaging as it gets.

Baltimore ransomware attack

As of presstime, Baltimore city servers are still down. The original attack occurred on May 7, 2019, and as soon as it happened, the city shut down numerous servers on their networks to keep them secure from the possible spread of the ransomware.

The ransomware that infected Baltimore is called RobinHood, or sometimes RobinHood ransomware. When a ransom note was discovered, it demanded a payment of $100,000 or about 13 Bitcoins. Much like other ransomware, it came with a timer, demanding that the victims pay up by a certain date, or the cost of recovering files would go up by $10,000 a day.

RobinHood ransomware is a newer malware family but has already made a name for itself infecting other city networks, as it did for the City of Greenville. According to a report from the New York Times, some malware researchers have claimed that the NSA-leaked exploit EternalBlue is involved in the infection process, however analysis by Vitali Kremez at Sentinel One does not show any sign of EternalBlue activity. Rather, the method of spreading the ransomware from system to system involves manipulation of the PsExec tool.

This is not the first cyberattack Baltimore has dealt with recently. In fact, last year their 911 dispatch systems were compromised by attackers, leaving the dispatchers using pen and paper to conduct their work. Some outlets have blamed the city’s historically inefficient network design on previous Chief Information Officers (CIOs), of which there have been many. Two of its CIOs resigned in this decade alone amidst allegations of fraud and ethical violations.


Baltimore aside, ransomware aimed at organizations has been active in the United States over the course of the last six months, with periodic spurts and massive spikes that represent a new approach to corporate infection by cybercriminals.

The below heat map shows a compounding effect of ransomware detections in organizations across the country from the beginning of 2019 to now.

Primary areas of heavy detection include regions around larger cities, for example, Los Angeles and New York, but we also see heavy detections in less populated areas as well. The below diagram further illustrates this trend: Color depth represents the overall detection amount for the state, while the size of the red circles represents the number of detections for various cities. The deeper the color, the more detections the state contains. The larger the circle, the higher number of detections in the city.

When we take an even deeper look and identify the top 10 cities in 2019 (so far) with heavy ransomware detections, we see that none of them include cities we’ve read about in the news recently. This trend supports the theory that it doesn’t require being surrounded by victims of ransomware to become one.

Wherever ransomware decides to show up, it is going take advantage of weak infrastructure, configuration issues, and ignorant users to break into the network. Ransomware is becoming a more common weapon to lodge against businesses than it was in years past. The below chart expresses the massive spike of ransomware detections we saw earlier in the year.

January and February are shining examples of the kind of heavy push we saw from families like Troldesh earlier in the year. However, while it seems like ransomware is dying off after March, we think more of it as the criminals taking a breather. When we dig into weekly trends, we can see specific spikes that were due to heavy detections of specific ransomware families.

Unlike what we’ve observed in the past with consumer-focused ransomware, where a wide net was cast and we observed a near constant flood of detections, ransomware focused on the corporate world attacks in short pulses. These may be due to certain time frames being best for attacking organizations, or it could be the time required to plan an attack against corporate users, which calls for the collection of corporate emails and contact info before launching.

Regardless, ransomware activity in 2019 has already hit a record number, and while we have only seen a few spikes in the last couple of months, you can consider these road bumps between two big walls. We just haven’t hit the second wall yet.


Despite an increase in ransomware targeting organizational networks, city networks that have been impacted by ransomware do not show up on our list of top infected cities. This leads us to believe that ransomware attacks on city infrastructure, like what we are seeing in Baltimore, do not occur because of widespread outbreaks, but rather are targeted and opportunistic.

In fact, most of these attacks are due to vulnerabilities, gaps in operational security, and overall weak infrastructure discovered and exploited by cybercriminals. They often gain a foothold into the organization through ensnaring employees in phishing campaigns and infecting endpoints or having enough confidence to launch a spear phishing campaign against high-profile targets in the organization.

There is also always a case to be made about misconfigurations, slow updating or patching, and even insider threats being the cause of some of these attacks. Security researchers and city officials still do not have a concrete answer for how RobinHood infected Baltimore systems in the first place.


There are multiple answers to the question, “How do I beat ransomware?” and unfortunately, none of them apply 100 percent of the time.  Cybercriminals spent the better part of 2018 experimenting on novel methods of breaking through defenses with ransomware, and it looks like they’re putting those experimentations to the test in 2019. Even if organizations follow “all the rules,” there are always new opportunities for infection. However, there are ways to get ahead of the game and avoid worst-case scenarios. Here are four areas that need to be considered when trying to plan for ransomware attacks:


While we did say that EternalBlue likely did not play a part in the spread of RobinHood ransomware, it has been used by other ransomware and malware families in the past. To this end, patching systems is becoming more and more important every day, because developers aren’t just fixing usability bugs or adding new features, but filling holes that can be exploited by the bad guys.

While patching quickly is not always possible on an enterprise network, identifying which patches are required to avoid a potential disaster and deploying those within a limited scope (as in, to systems that are most vulnerable or contain highly-prioritized data) is necessary. In most cases, inventorying and auditing patches should be completed, regardless if the patch can be rolled out across the org or not.


For the last seven or so years, many software developers, including those of operating systems, have created tools to help fight cybercrime within their own products. These tools are often not offered as an update to existing software, but are included in upgraded versions. Windows 10, for example, has anti-malware capabilities built into the operating system, making it a more difficult target for cybercriminals than Windows XP or Windows 7. Look to see which software and systems are nearing end-of-life in their development cycle. If they’ve been phased out of support by an organization, then it’s a good idea to look to upgrading software altogether.

In addition to operating systems, it’s important to at least consider and test an upgrade of other resources on the network. This includes various enterprise-grade tools, such as collaboration and communication platforms, cloud services, and in some cases hardware.


Today, email attacks are the most common method of spreading malware, using either widespread phishing attacks that dupe whomever they can, or specially-crafted spear phishing attacks, where a particular target is fooled.

Therefore, there are three areas that organizations can focus on when it comes to avoiding ransomware infections, or any malware for that matter. This includes email protection tools, user education and security awareness training, and post email execution blocking.

There are numerous tools that provide additional security and potential threat identification for email servers. These tools reduce the amount of potential attack emails your employees will receive, however, they may slow down email sending and receiving due to checking all the mail coming in and out of a network.

User education, however, involves teaching your users what a phishing attack looks like. Employees should be able to identify a threat based on appearance rather than functionality and, at the least, know what to do if they encounter such an email. Instruct users to forward shady emails to the in-house security or IT teams to investigate the threat further.

Finally, using endpoint security software will block many attempts at infection via email, even if the user ends up opening a malicious attachment. The most effective endpoint solution should include technology that blocks exploits and malicious scripts, as well as real-time protection against malicious websites. While some ransomware families have decryptors available that help organizations retrieve their files, remediation of successful ransomware attacks rarely returns lost data.

Following the tips above will provide a better layer of defense against the primary methods of infection today, and can empower your organization to repel cyberattacks beyond ransomware.


Being able to avoid infection in the first place is obviously preferable for organizations, however, as mentioned before, many threat actors develop novel attack vectors to penetrate enterprise defenses. This means that you need to not only establish protection to prevent a breach, but ready your environment for an infection that will get through.

Preparing your organization for a ransomware attack shouldn’t be treated as an “if” but a “when” if you expect it to be useful.

To that end, here are four steps for making your organization ready for “when” you experience a ransomware attack.

Step 1: Identify valuable data

Many organizations segment their data access based on required need. This is called compartmentalization, and means that no single entity within the organization can access all data.  To that end, you need to compartmentalize your data and how it’s stored in the same spirit. The point of doing this is to keep your most valuable (and biggest problem if lost) data segmented from systems, databases, or users who don’t need to access this data on a regular basis, making it more difficult for criminals to steal or modify said data.

Customers’ personally identifiable information, intellectual property, and financial information are three types of data that should be identified and segmented from the rest of your network. What does Larry, the intern, need access to customer data for? Why is the secret formula for the product you sell on the same server as employee birthdays?

Step 2: Segment that data

If needed, you should roll out additional servers or databases that you can put behind additional layers of security, be it another firewall, multi-factor authentication, or just limiting how many users can have access. This is where the data identified in the previous step is going to live. 

Depending on your operational needs, some of this data might need to be accessed more than others and, in that case, you’ve got to set up your security to account for it, otherwise you might hurt operational efficiency beyond the point where the risk is worth the reward.

Some general tips on segmenting data:

  • Keep the system with this data far away from the open Internet
  • Require additional login requirements, like a VPN or multi-factor authentication to access the data
  • There should be a list of systems and which users have access to data on which systems. If a system is somehow breached, there is where you start.
  • If you have the time and resources, roll out a server that barely has protection, add data that looks legitimate but, in reality, is actually bogus, and ensure that it’s vulnerable and easy to identify by an attacker. In some cases, criminals will take the low-hanging fruit and leave, ensuring your actual valuable data remains untouched.       

Step 3: Data backup

Now your data has been segmented based on how important it is, and it’s sitting behind a greater layer of security than before. The next step is to once again identify and prioritize important data to determine how much of it can be backed up (hopefully all the important data, if not all the company data).  There are some things to consider when deciding on which tools to use to establish a secure backup:

  • Does this data need to be frequently updated?
  • Does this data need to remain in my physical security?
  • How quickly do I need to be able to back up my data?
  • How easy should it be to access my backups?

When you can answer these questions, you’ll be able to determine which type of long-term storage solution you need. There are three options: online, local, and offsite.


Using an online backup solution is likely going to be the fastest and easiest for your employees and/or IT staff. You can access from anywhere, use multi-factor authentication, and rest easy knowing it’s secured by people who secure data for a living. Backing up can be quick and painless with this method, however the data is outside of the organization’s physical control and if the backup service is breached, that might compromise your data.

Overall, online backup solutions are likely going to be the best option for most organizations, because of how easy they are to set up and utilize.


Perhaps your organization requires local storage backups. This process can range from incredibly annoying and difficult to super easy and insecure.

Local storage allows you to store offline, yet onsite, maintaining a physical security presence. However, you are limited by your staff, resources, and space on how you can establish a backup operation locally. In addition, operational data that needs to be used daily may not be a candidate for this type of backup method.


Our last option is storing data on removable hard drives or tapes and then having them stored in an offsite location. This might be preferable if data is especially sensitive and needs to be kept away from the location at which it was created or used. Offsite storage will ensure that your data is safe if the building explodes or is raided, but the process can be slow and tedious. You also are unlikely to use this method for operational data that requires regular access and backups.

Offsite backups are only needed in cases of storing extremely sensitive information, such as government secrets, or if the data needs to be maintained and kept for records, but regular access isn’t required.                                              

Step 4: Create an isolation plan

Our last step in preparing your organization for a ransomware attack is to know exactly how you will isolate an infected system. The speed and method in which you do this could save the entire organization’s data from an actively-spreading ransomware infection.

A good isolation plan takes into consideration as many factors as possible:

  • Which systems can be isolated quickly, and which need more time (e.g, endpoints vs. servers)?
  • Can you isolate the system locally or remotely?
  • Do you have physical access?
  • How quickly can you isolate systems connected to the infected one?

Ask yourself these questions about every system in your network. If the answer to how quickly you can isolate a system is “not fast enough,” then it’s time to consider reconfiguring your network to speed up the process.

Luckily, there are tools that provide network administrators with the ability to remotely isolate a system once an infection is detected. Investing time and resources into ensuring you have an effective plan for protecting the other systems on your network is paramount with the type of threats we see today.

Ransomware resilience

As we’ve covered, there has been a bumpy increase in organization-focused ransomware in 2019 and we expect to see more spikes in the months to come, but not necessarily in the cities you might expect. The reality is that the big headline cities hit with ransomware make up only a few of the hundreds of ransomware attacks that occur every single day against organizations across the country.

Cybercriminals will not obey the rules for how to conduct attacks. In fact, they are constantly looking for new opportunities, especially in places security teams are not actively covering. Therefore, spending all your resources on avoidance measures is going to leave your organization in a bad place. 

Taking the time to establish a plan for when you do get attacked, and building your networks, policies, and culture around that concept of resilience will prevent your organization from becoming another headline.


Adam Kujawa

Director of Malwarebytes Labs

Over 14 years of experience fighting malware on the front lines and behind the scenes. Frequently anachronistic.