According to a report in The New York Times, the tool that has crippled the city is a National Security Agency creation called EternalBlue, which has been used in other high-profile cyberattacks.
According to security experts, hackers used EternalBlue, which exploits a vulnerability in certain versions of Microsoft’s Windows XP and Vista systems, allowing an external party to execute remote commands on their target.
The tool was leaked by hacking group The ShadowBrokers in April 2017, and within a day, Microsoft had released a patch to fix the exploit. But patching a system doesn’t mean that those vulnerabilities are entirely closed users must first apply the patch.
Hackers using EternalBlue have since been responsible for several major cyberattacks, including Wannacry in May 2017, and the NotPetya attacks against Ukranian banks and infrastructure in June 2017.
The Baltimore attack is the latest instance of the use of this malware, and a recent report from WeLiveSecurity highlights that its use is increasing, especially against US targets. They found that there are currently almost a million machines in the wild using the obsolete SMB v1 protocol, and that that’s the result of poor security practices and lack of patching are likely reasons why malicious use of the EternalBlue exploit has been growing continuously since the beginning of 2017, when it was leaked online.
Baltimore’s computers were hit with the ransomware attack earlier this month, and city officials have said that they won’t pay (via The New York Times) the $76,000 ransom demand. The city has begun to implement some workarounds, manually processing real estate transactions and setting up a Gmail system for city workers, which Google initially shut down, but has since restored.
In the meantime, The Baltimore Sun reports that the city’s IT department is working to restore access to the city’s systems while improving their security while they do so.