STEVE INSKEEP, HOST:
A hostage situation continues today in Baltimore. To be clear, the hostage is not a person. It's data. Two weeks ago today, hackers breached city servers, and many digital city services are no longer accessible as a result. Experts say restoring those services could take months because the city is not willing to pay the ransom. From member station WYPR, Emily Sullivan reports.
EMILY SULLIVAN, BYLINE: Hackers used an extremely malicious type of ransomware, called RobinHood, to pull off the heist. They're demanding about $100,000 in bitcoin to unlock their grip on city servers by giving up a digital key to all that data. That data ranges from legislative bills to online payments for water and parking tickets. Even the city's lien system is frozen, meaning no real estate sales can happen.
AVI RUBIN: Imagine if somebody would sneak into a government building at night, load up a bunch of boxes with all the paperwork for all the pending permits, and all the pending house closings, and all the pending business that the city was conducting, put it all in a truck and drive away and demand some money in order to bring that truck back to give back all the papers.
SULLIVAN: That's Avi Rubin, a Johns Hopkins professor and a cybersecurity expert. Baltimore Mayor Jack Young has said the city won't pay the ransom demand. Rubin says there's no way any federal agency could replicate the key needed to unlock the data.
RUBIN: I don't even think that the NSA would be able to break this.
SULLIVAN: And that means Baltimore will essentially have to painstakingly rebuild its online systems. And as expected, residents here are not happy about it. Many think the city should have been prepared for a cyberattack, especially after Atlanta was hit by a malware last year and made national news. Local reports say it cost Atlanta $17 million to recover from the attack. Baltimore was using older hardware and software, which are more vulnerable. Avi Rubin doesn't blame the cash-strapped city for falling victim. That kind of attitude appears commonplace.
RUBIN: It costs a lot of money to prepare for something like this. And if it's never happened, it's only natural to say, well, this type of thing has never happened before so why should we spend a lot of money on it?
SULLIVAN: At least 20 municipalities and Cleveland's airport were hit by similar malware attacks in recent months. Private companies are targeted all the time, and ransoms do get paid, providing hackers motivation to keep up attacks. Years ago, it was hospitals being attacked, and most bolstered security. But it's harder for a city like Baltimore to spend a lot of money on what can feel like an abstract threat. Rubin says hopefully this latest cyberattack will change that.
RUBIN: It should be an early warning sign to a lot of other cities that they need to beef up their security, and they need to beef up their IT. They need to get more modern computer systems, use the cloud.
SULLIVAN: Ashley Merson (ph) has been under contract for a two-bedroom house for over a month now. She's frustrated that the real estate system didn't have a paper backup in place.
ASHLEY MERSON: The fact that you have a completely unsustainable computer system with no plan in place for when something like this happens after watching it happen to countless other cities, it's frustrating and disappointing.
SULLIVAN: Yesterday, nearly two weeks after the attacks, officials introduced a non-digital workaround for home buying, involving lots of paper. Meanwhile, as the cyberattack continues, officials say they'll try to come up with paper workarounds for other city services.
For NPR News, I'm Emily Sullivan in Baltimore.
Copyright © 2019 NPR. All rights reserved. Visit our website terms of use and permissions pages at www.npr.org for further information.
NPR transcripts are created on a rush deadline by an NPR contractor. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.