Anatomy of a Breach

Anatomy of a Breach: Baltimore — The Second US City Brought Down by Ransomware, Still Using EternalBlue

> series: anatomy_of_a_breach —— part: 126 —— target: city_of_baltimore —— ransomware: robbinhood —— exploit: eternalblue_still —— years_since_patch: 2<span class="cursor-blink">_</span>_

Hedgehog Security 30 June 2019 13 min read
ransomware baltimore robbinhood eternalblue local-government patching-failure series
Breach #126

EternalBlue. Two years after WannaCry. Two years after the patch. Still unpatched. Still exploited.

On 7 May 2019, RobbinHood ransomware struck the City of Baltimore, encrypting systems across multiple departments and demanding 13 Bitcoin (approximately $76,000). The attack disabled email, voicemail, online payments, and real estate transaction systems. Residents could not pay water bills or property taxes online. The city's 311 non-emergency phone system went down. Baltimore's government was forced to revert to paper-based processes.

Baltimore refused to pay the ransom. The total recovery cost exceeded $18 million — including $4.6 million in direct incident response costs and $13.6 million in lost or delayed revenue. Investigators found that the EternalBlue exploit — the same NSA tool that powered WannaCry (May 2017) and NotPetya (June 2017) — was used for lateral movement through Baltimore's network. The MS17-010 patch had been available since March 2017 — over two years before the Baltimore attack. The city had not applied it to all systems.

EternalBlue — Year Three
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

Patch released: March 2017. WannaCry: May 2017. NotPetya: June 2017. Baltimore: May 2019. Still unpatched.

The Baltimore attack is the most damning indictment of patching failure in this entire series. MS17-010 was released on 14 March 2017. WannaCry struck on 12 May 2017. NotPetya struck on 27 June 2017. The global impact of EternalBlue was the dominant cybersecurity story of 2017. Yet in May 2019 — 26 months after the patch, 24 months after WannaCry, and after every security organisation in the world had warned about EternalBlue — a major US city was still running systems vulnerable to the exploit.

26 Months After the Patch
<a href="/cyber-essentials">Cyber Essentials Danzell</a> mandates 14-day critical patching. Baltimore was breached 26 months after the patch was released — 780 days late. The gap between 'patch available' and 'patch applied' in local government remains the single most exploitable weakness in the public sector.
Second US City After Atlanta
<a href="/blog/anatomy-of-a-breach-atlanta-samsam">Atlanta</a> (March 2018) and Baltimore (May 2019) — two major US cities devastated by ransomware within 14 months. Both refused to pay. Both spent tens of millions on recovery. For UK <a href="/blog/sector-under-the-microscope-local-government">local government</a>, the pattern is a direct warning.
$76K Ransom vs $18M Recovery
The same economics as Atlanta: a relatively modest ransom demand ($76K) versus an enormous recovery cost ($18M). The disparity underscores the value of prevention — <a href="/penetration-testing">penetration testing</a>, <a href="/vulnerability-scanning">vulnerability scanning</a>, and <a href="/cyber-essentials">Cyber Essentials</a> cost a fraction of the recovery bill.
No Monitoring Detected the Intrusion
The ransomware was deployed without triggering effective detection. <a href="https://www.socinabox.co.uk/sectors/local-councils">SOC in a Box for Local Government</a> provides the 24/7 monitoring that detects ransomware deployment before encryption completes.
Lessons

Patch. Or the same exploit will hit you years later.

Baltimore proved that unpatched vulnerabilities do not expire — they persist until they are patched or exploited. EternalBlue, first exploited in the wild in May 2017, was still being exploited against unpatched systems in May 2019 — and continues to be exploited against unpatched systems today. Cyber Essentials Danzell's 14-day patching mandate exists because exploits do not have an expiry date.

Vulnerability scanning identifies EternalBlue-vulnerable systems. Infrastructure testing validates patching across the estate. Cyber Essentials mandates 14-day critical patching. SOC in a Box for Local Government monitors for exploitation attempts. And UK Cyber Defence provides incident response when patching has failed and the ransomware has arrived.

Patch. Now.

EternalBlue: patched March 2017. Exploited May 2019. Are all your systems patched?

<a href="/vulnerability-scanning">Vulnerability scanning</a> finds what is missing. <a href="/cyber-essentials">Cyber Essentials</a> mandates 14-day patching. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors for exploitation.

Commission a Vulnerability Scan Next: Capital One
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 28 February 2026

Anatomy of a Breach: BridgePay and University of Mississippi Medical Center — Payment Systems and Patient Care Both Disrupted by Ransomware

Breach #206. February 2026 saw ransomware disrupt two critical services. BridgePay — a payments platform serving city governments and municipalities — was hit by ransomware that disrupted payment processing for local government customers across the US, with systems not fully restored until 28 February. The University of Mississippi Medical Center was forced to close clinics after ransomware disabled IT systems and electronic health records, requiring clinicians to revert to manual downtime procedures for patient care. The clinics reopened on 2 March. Both incidents demonstrated that ransomware continues to target the systems that people depend on most — government payments and healthcare.

bridgepay ransomware
13 min read
Anatomy of a Breach 31 October 2020

Anatomy of a Breach: Hackney Council — A London Borough Devastated by Ransomware for Months

Breach #142. In October 2020, the London Borough of Hackney was hit by a serious cyber attack — later confirmed as Pysa ransomware — that devastated the council's IT systems and disrupted services to approximately 280,000 residents for months. Housing benefit payments were delayed, planning applications could not be processed, land registry searches stalled, and council tax records were inaccessible. The full recovery took over two years. The ICO subsequently fined Hackney Council £120,000. The attack was the most severe ransomware incident to hit a UK local authority.

ransomware hackney-council
13 min read
Anatomy of a Breach 30 April 2018

Anatomy of a Breach: City of Atlanta — The $17 Million Ransomware Attack That Started with a $51,000 Demand

Breach #112. On 22 March 2018, the City of Atlanta was hit by SamSam ransomware, which encrypted systems across multiple city departments and demanded approximately $51,000 in Bitcoin. The city chose not to pay — but the cost of recovery exceeded $17 million, including emergency IT contracts, new hardware, and consulting fees. Court systems went offline. Police filed paper reports. Residents could not pay water bills online. The attack demonstrated that local government infrastructure is critically vulnerable to ransomware — and that the cost of not paying can be orders of magnitude higher than the ransom.

ransomware samsam
13 min read
All Posts Get in Touch