The devastating ransomware attack that crippled the city of Baltimore's public services for more than two weeks will cost approximately $18.2 million (14.3 million) to put right, according to the city's mayor.
Cleanup efforts in the immediate aftermath of the attack will cost Baltimore $10 million through to the end of the year, according to mayor Bernard Young, speaking at a council hearing last week. Meanwhile, an additional $8 million in costs have been sustained due to deferred or lost revenue while the city was unable to process payments.
The city's IT office has already spent $4.6 million on recovery operations since the attack on 7 May, city officials revealed, with an additional $5.4 million earmarked to be spent by the end of the year, according to the Baltimore Sun.
"We're not going to pay criminals for bad deeds. That's not going to happen," Young said in response to questions over the expected costs, adding: "There's no guarantee that if you pay, you reset your system".
For more than two weeks in May, thousands of government computers were infected with malware, said to be a strain known as RobinHood. This shut down a string of government services including those for paying taxes and parking tickets, as well as internal email systems.
In contrast with the eye-watering costs of the hack revealed this weak, the hackers asked for just 13 bitcoins, valued at just under $100,000 at the time.
Mayor Young has since faced criticism over his handling of the attack, with his repeated refusal to pay the ransom being branded as "shortsighted" by Forrester analyst Josh Zelonis.
"While many advise against paying ransoms, Forrester has been tracking a trend of companies that negotiated with the extortionists and paid for decryption keys as part of their incident recovery," he said.
"Conventional wisdom does not factor in what is best for your business and the situation you are currently in. Platitudes and emotion are not going to help you formulate an optimal recovery path for your business."
Meanwhile, recovery is complicated, and even if there are good backups, businesses tend to underestimate the scale of disruption that needs to be planned ahead for, he added.
Additional reports have since indicated the perpetrators used a Windows exploit developed by the National Security Agency (NSA) to target the city. The EternalBlue tool also exploits a vulnerability with Windows XP and Vista systems, also called EternalBlue. This flaw allows hackers to execute commands remotely on targeted devices.
The exploit has also been at the centre of a number of infamous cyber attacks including the WannaCry attack of May 2017 and NotPetya in June the same year.
The former had a particularly devastating effect on the NHS, costing the health service more than 92 million to recover. The bulk of these costs, 72 million, were allocated towards restoring its services to full operation and recover data in the immediate months following the attack.
-
RSAC Conference 2025: The front line of cyber innovationITPro Podcast Ransomware, quantum computing, and an unsurprising focus on AI were highlights of this year's event
-
Anthropic CEO Dario Amodei thinks we're burying our heads in the sand on AI job lossesNews With AI set to hit entry-level jobs especially, some industry execs say clear warning signs are being ignored
-
LockBit data dump reveals a treasure trove of intel on the notorious hacker groupNews An analysis of May's SQL database dump shows how much LockBit was really making
-
‘I take pleasure in thinking I can rid society of at least some of them’: A cyber vigilante is dumping information on notorious ransomware criminals – and security experts say police will be keeping close tabsNews An anonymous whistleblower has released large amounts of data allegedly linked to the ransomware gangs
-
It's been a bad week for ransomware operatorsNews A host of ransomware strains have been neutralized, servers seized, and key players indicted
-
Everything we know about the Peter Green Chilled cyber attackNews A ransomware attack on the chilled food distributor highlights the supply chain risks within the retail sector
-
Scattered Spider: Who are the alleged hackers behind the M&S cyber attack?News The Scattered Spider group has been highly active in recent years
-
Ransomware attacks are rising — but quiet payouts could mean there's more than actually reported
News Ransomware attacks continue to climb, but they may be even higher than official figures show as companies choose to quietly pay to make such incidents go away.
-
Cleo attack victim list grows as Hertz confirms customer data stolen – and security experts say it won't be the lastNews Hertz has confirmed it suffered a data breach as a result of the Cleo zero-day vulnerability in late 2024, with the car rental giant warning that customer data was stolen.
-
‘Phishing kits are a force multiplier': Cheap cyber crime kits can be bought on the dark web for less than $25 – and experts warn it’s lowering the barrier of entry for amateur hackersNews Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
