A Week of Ransomware News: Attacks on Cities and Companies Continue

Recently, several organisations and state entities experienced debilitating ransomware attacks. With effects varying greatly, IT specialists had a busy week trying to restore systems and decrypt locked files. This article presents last week’s news regarding the ransomware attacks, with the highlight being Baltimore City.


Major Ransomware Attack on Baltimore City

On May 7th, 2019, Baltimore City experienced a devastating ransomware breach of security. Authorities overseeing the servers announced in the morning that some of the city’s services went offline.  Almost all systems went down, with exceptions being fire, police, and emergency response departments. Cybercriminals demanded the ransom payment in exchange for decryption codes.

A spokesperson for Baltimore’s Mayor’s office, Lester Davis, confirmed the attack, as well as the demands. “Employees are working diligently to locate the source and extent of the infection,” Davis said. At the time, the severity of the attack impacted numerous functions, including the cancellation of a hearing on gun violence. Moreover, the billing information support system was not responsive to the citizens’ inquiries.


Robinhood Ransomware to Blame

Authorities pointed out Robinhood ransomware as the main culprit and a very aggressive one. Much like other malware programs, breached the city’s platform through a mail. Then, it went on by locking files, forcing employees to shut off their internet connections to limit its movement. Democratic City Councilman Ryan Dorsey confirmed the procedure by stating that “everybody has been instructed to unplug the Ethernet cable and turn off power to their computers, printers, and such.”

IT department managed to quarantine the virus by the afternoon. However, the exact damage is yet to be identified, leaving no answers to when servers will be back on. Joining the frame, FBI representatives mentioned that the malware was a “fairly new variant,” more sophisticated than its previous versions.


Not the First Time

The attack is not the first cyber threat experience that Baltimore City faced so far. Last year, a malware attack turned off the city’s phone system, affecting police and 311 services. Don Norris, the professor of the University of Maryland, pinpointed struggles that local authorities often go through. With repeated experience, it seems that the city’s cyber protection systems are in need of improvements.

You’ve got increasingly sophisticated and very persistent bad guys out there looking for any vulnerability they can find and local governments, including Baltimore, who either don’t have the money or don’t spend it to properly protect their assets,” said Norris. “I’m not surprised that it happened and I won’t be surprised when it happens again.”

So far, authorities did not provide the information regarding the value of the demanded ransom. Additionally, most services remain down, including the police, City Council, and Baltimore animal shelter’s email systems. Enoch Pratt Free Library remains unaffected while IT specialists are coordinating closely with FBI to improve the situation.


Cartersville: Ransomware Forcibly Shuts down Computer Systems

Following the ransomware attack on May 4th, Cartersville has issues to provide services a week later. The online payments system is still offline, with customer service working manually to fulfil basic requests. According to the city’s press release announcement, vital departments are not affected by the attack. “Customer Service is open and can receive payments. However, online bill pay is currently not available,” as stated in the announcement.

However, customers cannot fill out online payment forms. They can either send funds through a mail or come personally to the customer service centre. Officials are coordinating with a consultancy agency and law enforcement to solve the issue. Currently, Cartersville representatives are still in the midst of damage inquiry. No further details are known regarding the potential ransom demands nor the type of the malware used during the attack.

City Communications and Public Relations Manager Rebecca Bohlander stated that officials cannot provide additional information at this time. “They’re still trying to get to the bottom of it, and there’s still other stuff that can’t be discussed at this time,” she said.


Rarotonga Firms Feel the Ransomware Threat

A chain of cafés from Rarotonga have seen their systems targeted by cybercriminals on May 9th. Businesses that have been affected by the ransomware include Tamarind House, The New Place Café, The Rickshaw, and La Casita Mexican Café. Group’s management representatives issued a warning that restaurant businesses are not accepting payments. The company stated that a ransomware program called “Phoenix” sneaked within the Group’s network, locking out files while remaining undetected.



The General Manager Pisha Carruthers said that, although services are on-going, management would need to pay $500 to recover lost files. Additionally, restaurants decided against paying the ransom, employing cybersecurity specialists instead. One of the consultants who provided necessary help was George Ngatikao from Techtro Solutions. He stated that hackers demanded bitcoins as a ransom payment, which is the usual practice.

Ransom amounts are usually quite low to encourage people to pay them and justify the cost even if they didn’t get the files back, “ he said. He added that in many cases, even if the ransom demand is met, many companies would still not receive decryption keys.

Cybercriminals used the Phoenix program to attack the Empire Theatre in Rarotonga as well, demanding US$1,600. Manager of the cinema, Pa Napa, refused to pay the ransom, buying a new computer instead.


Potter County Judge Warns of Ransomware Attack

Potter County Judge Nancy Tanner warned the county’s employees of the recent ransomware attack. The email stated that computer systems have been jeopardised by malware and not by a virus, as believed earlier. ABC 7 reported that the county is still facing issues two weeks after April’s attack. So far, no personal data was lost while specialists are working to solve the issue.

Interestingly, the email requested from the staff members to keep the information from reaching the public. “I will reiterate that I do not want the information about ransomware being made public,” Tanner wrote. However, ABC 7 published the announcement, as well as contacted Judge Tanner who stated that “the email accurately describes what Potter County is dealing with. It is disappointing that someone made this public, even though I requested them not to.”


Lakeland’s Health Entity Releases Late Ransomware Report

With barely two months passing since the last ransomware attack, Spectrum Health Lakeland from St. Joseph, US, announced yet another data breach. According to the Herald-Palladium report, the entity released a statement on May 8th, 2019, that ransomware from December 2018 may have compromised clients’ data.



The damage includes 1,100 patients’ medical information. Compromised data may also include patient names, addresses, health services used, diagnoses, and health insurance details. “Spectrum Health (Lakeland) regrets any concern this incident may cause the affected patients and their families, and is working closely with OS, Inc. to prevent this from happening again,” the news release announced.

The organisation was forced to employ a third-party consultant to solve the issue, pinpointing an email as the main culprit. The report shows that one of the staff members clicked the provided link, spreading the ransomware throughout the system. So far, sensitive personal and financial information was not compromised. According to the Spectrum’s Compliance and Privacy Officer Chris Kuhlmann, the company took measures to prevent the spread of malware towards vendors.

Due to the previous experiences, Spectrum Health managed to limit the ransomware reach, since the last attack involved 60,000 patients. Additionally, there is no evidence so far that files have been lost, while the organisation is yet to inform the public regarding the potential ransom demands.


Genesee Restructures its Top IT Position due to the Ransomware

Following the ransomware attack from April, Genesee County made a decision to upgrade its security system by restructuring a leading IT staff role. On May 8th, according to the MLive’s report, authorities voted in favour of a position change, modifying the “Lead Technical Position” to “Cybersecurity and Technical Architect.” Additionally, the county’s Board of Commissioners decided to create additional organisational changes within the IT department to increase security efficiency.

After the ransomware took down computer systems, the management had issues recovering their data. Genesee’s financial system was jeopardised as well, paying a high fee for restoration of the database – an estimated $200,000 was needed for the system’s fix.

The new top position would include developing policies and procedures for security, back-up, and data recovery. However, the management insisted that overall department reorganisation was crucial for the county to undertake.


Dharma Ransomware: An Upgraded Version Incoming

Since 2016, a notorious ransomware program called Dharma had been quite “successful” in penetrating systems around the globe. According to the TrendMicro report, hackers managed to upgrade the malware, disguising it as legitimate anti-virus software. One of the first victims of the Dharma ransomware was ABCD Paediatrics, followed by East Central Kansas Area Agency in 2017.

Hackers used different tactics in spreading the ransomware, demanding payments from infected companies. Phishing emails are still the most used method for malware’s entrance, with senders disguised as Microsoft’s support teams. Users would then be asked to verify their antivirus software to comply with Microsoft’s supposed changes of user terms and conditions. According to the report, ESET’s outdated version would be used for malware’s files extraction.

The TrendMicro report stated that the ransomware attack will commence even if the tool installation is not triggered. “The installation process seems included just to trick users into thinking no malicious activity is going on.” With a history of abusing authentic tools, cybercriminals that developed Dharma are on the lookout for new, clever tactics that would lure victims in.

Once files are encrypted, hackers would release a message, demanding payments for decryption codes. Healthcare businesses’ servers, in most cases, remained locked for a prolonged period of time, with data restoration costs rising up as a result. “As malware authors continue to adopt layered evasion tactics and malicious techniques, users also have to adopt stronger and smarter security solutions to protect their assets,” report concluded.


Malware Ad Creator Arrested and Extorted to the US

On May 6th, a malware ad creator was extorted to the New Jersey court based on ransomware-related charges. Arrested in the Netherlands, Oleksii Ivanov (31) from Ukraine organised fake campaigns using credentials of non-existent companies. He operated from October 2013 until May 2018, sending over 100 million ransomware-infected ads. Victims would click provided links and get their computers locked by the ransomware.

With the help of several partners, Ivanov would then try to extort funds from victims. Previously, he would buy ad space from legitimate hosting platforms and then proceed by delivering malicious codes through links. Should networks suspend his online account, Ivanov would proceed by creating another fake company, usually “based” in the UK. Combined US Secret Service, Dutch and British law enforcement’ investigation brought charges upon Ivanov, who declared innocence and rejected legal accusations.


Services Giant Wolters Kluwer Experienced a Ransomware Attack

On May 6th, the information service giant from Netherlands, Wolters Kluwer, took a ransomware hit. The attack was described as “technical anomalies”. The company stated in a press release that a good portion of the firm’s services have been affected. A number of applications were taken offline, as the IT security staff members investigated the cause of the breach.

In the following period, the company managed to restore most of the services, including CCH SureTax and CCH Axcess. Law enforcement were notified of the attack while the US servers are still down. According to the latest update, there is “no evidence that customer data and systems were compromised or that there was a breach of confidentiality of that data.”

The company did not mention what type of ransomware entered its system nor how. It also remains unclear whether hackers demanded ransom, as staff members continue to unlock services. According to several reports, however, MegaCortex might be to blame. The malware was discovered at the beginning of 2019, with cybercriminals targeting companies from the US and Europe.



Recent malware developments are sure to push companies and state entities to improve their cyber defences. Moreover, hackers are known to be creative, constantly upgrading their ransomware tools. Thus, Baltimore’s case can happen to any other city around the globe that does not have proper security measures.



Cloud backup is the easiest way to protect data. It works on the simple concept that your data is securely backup-up in single or multiple locations which are separate from your live data.

Should your live data be lost because of theft, fire, hardware failure or any type of illegal activity, you can restore your data back again.
We are now seeing reports of malware and which pass themselves off as genuine anti-virus software, thus defeating a user’s own systems.

With this type of exponential threat, we could ask… if you haven’t been attacked yet, when will you be? Maybe it is a case of when and not, if!

The BOBcloud platform offers cloud backup services through numerous online platforms and methods. Whichever Windows, MAC or Linux OS, application or database you are using, we have a solution to keep you protected.

Leave a Reply

Your email address will not be published. Required fields are marked *

The Old Sorting Office, Corsham, Wiltshire SN13 9AA
Tel: 0800 907 8238 https://www.bobcloud.net/wp-content/themes/bobcloud/images/logo.png