
Baltimore city government computer network hit by ransomware attack - Datenstrom
https://www.baltimoresun.com/news/maryland/politics/bs-md-ci-it-outage-20190507-story.html
======
Wowfunhappy
I feel like I'm being small-minded, but I legitimately don't understand why
ransomware continues to be so damaging. Do these organizations not have backup
systems in place? Would would happen if their hard drives failed, as is
completely normal?

~~~
mirimir
The Baltimore Sun doesn't like Germany, but an Ars Technica article quotes the
mayor:

> In his press conference, Baltimore’s new mayor, Bernard “Jack” Young, said
> it was uncertain how long the city's systems would be offline. "There is a
> backup system with the IT department," he said, "but we can't just go and
> restore because we don’t know how far back the virus goes. So I don’t want
> people to think that Baltimore doesn’t have a backup."

0) [https://arstechnica.com/information-
technology/2019/05/balti...](https://arstechnica.com/information-
technology/2019/05/baltimore-city-government-hit-by-robbinhood-ransomware/)

Edit: What I meant:

> Unfortunately, our website is currently unavailable in most European
> countries. We are engaged on the issue and committed to looking at options
> that support our full range of digital offerings to the EU market. We
> continue to identify technical compliance solutions that will provide all
> readers with our award-winning journalism.

~~~
neokantian
Apparently, they use psexec to remotely execute programs:
[https://docs.microsoft.com/en-
us/sysinternals/downloads/psex...](https://docs.microsoft.com/en-
us/sysinternals/downloads/psexec)

"Utilities like Telnet and remote control programs like Symantec's PC Anywhere
let you execute programs on remote systems, but they can be a pain to set up
and require that you install client software [%] on the remote systems that
you wish to access. PsExec is a light-weight telnet-replacement that lets you
execute processes on other systems, complete with full interactivity for
console applications, without having to manually install client software [%]."

[%] They probably mean server software.

So, where is the server software itself documented? Is it started by default
on each system? It seems to be some kind of poor man's version of SSH ...

~~~
danielbarla
The link you posted leads to a more detailed article by the developer, where
he mentions some internals:

> PsExec starts an executable on a remote system and controls the input and
> output streams of the executable's process so that you can interact with the
> executable from the local system. PsExec does so by extracting from its
> executable image an embedded Windows service named Psexesvc and copying it
> to the Admin$ share of the remote system. PsExec then uses the Windows
> Service Control Manager API, which has a remote interface, to start the
> Psexesvc service on the remote system.

> The Psexesvc service creates a named pipe, psexecsvc, to which PsExec
> connects and sends commands that tell the service on the remote system which
> executable to launch and which options you've specified. If you specify the
> -d (don't wait) switch, the service exits after starting the executable;
> otherwise, the service waits for the executable to terminate, then sends the
> exit code back to PsExec for it to print on the local console.

~~~
zxcmx
PsExec will also most likely freak out your security operations team if it’s
not part of your expected workflow (well, and if you have a decent SIEM, and
it’s actually monitored...)

~~~
rgray805
What stuck out to me was the part that said, "A similar attack affected the
city’s phone system last year, shutting down automated dispatches for 911 and
311 calls." Clearly what they had didn't catch it (twice) and that's a problem
with SIEMs - usually not configured correctly or to log the right things.

------
ch4s3
How many copies of Healthy Holly do they want?

~~~
rdtsc
I really enjoyed this one:
[https://www.washingtonpost.com/outlook/2019/04/05/critical-c...](https://www.washingtonpost.com/outlook/2019/04/05/critical-
carlos-reads-healthy-holly/?utm_term=.d44626f7cb8d)

Lost it at "Remember kids, it's important to exercise... your right to take
the 5th"

