Government computers of the city of Baltimore have seen the second ransomware attack in just over a year. The several Gmail accounts opened by city officials as a countermeasure allegedly triggered the anti-spam systems and were shut down by Google. However, the real reason for the accounts being suspended might be merely economic.
The city’s computers have been infected on May 7th with the virus called RobinHood, as we’ve previously reported.
Hackers requested the payment of 13 bitcoins – corresponding to more than $100.000 – to remove the ransomware. About 10,000 computers have been infected with it.
The attack affected many daily administration tasks of Baltimore’s city government. It delayed sales of several homes and prevented water bills from being generated. It also prevented tax bills and parking fines from being paid. The Department of Public Works had to announce on social media that sanctions for delayed payments would have been suspended for the population of Baltimore and the County.
The city of Baltimore has so far refused to pay the ransom. The Secret Services, as well as the FBI, are known to be currently investigating the attacks, but Baltimore city’s Mayor Bernard Young said it is still unclear when systems would be fully operational again.
The problem was partially contained: the city’s cybersecurity team was able to quarantine the ransomware, and the FBI helped the recovery operations but it took time and Baltimore is still scared by last year’s attack – when phone calls to 911 and 311 had been compromised.
In addition to disconnecting from the Ethernet and closing most of its servers, Baltimore prompted its government officials to switch their internal email into Gmail accounts as a way to contain the effects of the virus that was spreading from one computer to the other.
In response, Google’s anti-spam filters activated, suspending the accounts and crippling one of Baltimore’s strategies to buffer the attack.
Google’s common practice is to block accounts that violate its terms and conditions or that are seen as possible spam: multiple accounts opened in the same area in a very short period of time might be mistakenly flagged as dangerous. However, according to Baltimore’s Mayor office, the accounts have been disabled because Google sees them as business accounts that should be paid for.
Thursday all the emails sent to addresses used by City Council President Brandon Scott, two assistants of the City Council, a spokesperson from the Health Department and one of the Mayor’s aides were bounced and sent back with a laconic, “The email you tried to reach is disabled”. According to the Mayor’s office, the problems were discovered Thursday during the morning.
Local governments generally lack funds to invest in computer security – that’s why they are a “soft target” for hacker attacks. Google accounts could be useful in some instances. There are two types of accounts offered by Google – the free one and a paid one for businesses and other organizations. Mayor Bernard’s spokesman, James Bentley, pointed out that the city was considering purchasing a business account from Google to restore the systems.
“They disabled them because they deemed them to be business accounts,” he said. “Their position is these accounts are circumventing their paid service”. This implies that Google knows what accounts are used for with a great degree of accuracy, by extracting information from email exchanges and other “sensitive data” without explicit consent by the users.
Some of the addresses set up by city employees were still working early on Thursday’s afternoon. Brandon Scott said his team was appealing the suspension with Google. A spokesperson from the Health Department said she could see old messages but not receive or send new ones. She said that there was no notice showing why the account wasn’t working.
Google commented the following: “We have restored access to the Gmail accounts for the Baltimore city officials. Our automated security systems disabled the accounts due to the bulk creation of multiple consumer Gmail accounts from the same network.”
For the moment, Google restored access to Gmail accounts.