 | This articlemay be excessively based oncontemporary reporting. Please use newersecondary sources; articles on events that lacklasting impact may bemerged,redirected, ordeleted.(November 2025) (Learn how and when to remove this message) |
 | This article needs to beupdated. The reason given is: Missing impact & subsequent legal developements. Please help update this article to reflect recent events or newly available information.(November 2025) |
| Date | 7 May 2019 |
|---|---|
| Time | 8:54 a.m.[1] (EDT) |
| Location | Baltimore,Maryland,United States |
| Type | Cyberattack |
| Theme | Ransomware encrypting files with $76,280 demand[1] |
| Cause |
|
| Outcome | Multiple municipal services down for months, including databases and applications City spends $18 million in recovering services |
During theBaltimore ransomware attack of May 2019, theAmerican city ofBaltimore,Maryland had its servers largely compromised by a variant ofransomware called RobbinHood. Baltimore became the second U.S. city to fall victim to this new variant of ransomware afterGreenville, North Carolina and was the second major US city with a population of over 500,000 people to be hacked by ransomware in two years, afterAtlanta wasattacked the previous year.
Baltimore had been targeted by ransomware once prior to the May 2019 attack in 2018, though that attack was smaller in comparison and took down the city's emergency dispatch system for a short duration.[2] On May 2, just days before the first infection, mayorCatherine Pugh resigned amidst a corruption scandal and was ultimately convicted and sentenced to 3 years in prison.[3] She was replaced byJack Young.
On May 7, 2019, most of Baltimore's government computer systems were infected with the aggressiveransomware variant RobbinHood. All servers, with the exception of essential services, were taken offline. In a ransom note, hackers demanded 13 bitcoin (roughly $76,280) in exchange for keys to restore access. The note stated that if the demands were not met within four days, the price would increase and within ten days the city would permanently lose all of the data.[4][5][6][7][8][9][10] On May 25, security expert Nicole Perlroth speculated that the stolenNSA exploitEternalBlue was used to infiltrate the city's network vulnerabilities and initiate the attack,[11] though in a memoir published in February 2021, Perlroth recanted her original statement after concluding that the exploit was not in fact responsible.[12]
Baltimore was susceptible to such an attack due to its IT practices, which included decentralized control of its technology budget and a failure to allocate money itsinformation security manager wanted to fund cyberattack insurance.[13] The attack has been compared to aransomware attack onAtlanta the previous year, and was the second major use of the RobbinHood ransomware on an American city in 2019, asGreenville, North Carolina was also affected in April.[14]
The attack had a negative impact on the real estate market as property transfers could not be completed digitally due to the system being down,[15][16] as the city's card payment system and debt checking application were rendered inaccessible. In addition, city employees were unable to use their email system and resorted to creatingGmail accounts as workaround. Google automatically blocked their accounts due to the large number of accounts created in that timespan, though the company later restored the Gmail accounts.[17]
The recovery, initially estimated to take several more weeks on May 20,[13] ultimately lasted until September.[18] Frank Johnson, Baltimore's IT director, was put on unpaid leave following the ransomware attack. Since becoming the city's IT director during the Pugh administration, Johnson had been criticized for not having a written disaster recovery plan and for his handling of the 2019 attack, which was estimated to cost the city $18 million.[18] He was replaced by deputy director Todd Carter, who later became the permanent IT director in February 2020 after Johnson left the role in October.[19]