If you’re wondering why ransomware continues to be such a problem for state and local governments and other public institutions, all you have to do to get an answer is poke around the Internet a little. Publicly accessible security-scan data shows that many public organizations have failed to do more than put a bandage over long-standing system vulnerabilities that, if successfully exploited, could bring their operations to a standstill.
While the method by which RobbinHood ransomware infected the network of Baltimore City two weeks ago is still unknown, insiders within city government have pointed to the incomplete efforts by the Office of Information Technology to get a handle on the city’s tangle of software, aging servers, and wide-flung network infrastructure. Baltimore isn’t even the only city to have been hit by ransomware in the last month—Lynn, Massachusetts, and Cartersville, Georgia, both had electronic payment systems taken offline by ransomware this month. Greenville, North Carolina, was struck by the same RobbinHood ransomware affecting Baltimore in April.
But cities aren’t the only highly vulnerable targets to be found by would-be attackers. There are hundreds of thousands of Internet-connected Windows systems in the United States that still appear to be vulnerable to an exploit of Microsoft Windows’ Server Message Block version 1 (SMB v. 1) file sharing protocol, despite repeated public warnings to patch systems following the worldwide outbreak of the WannaCry cryptographic malware two years ago. And based on data from the Shodan search engine and other public sources, hundreds of them—if not thousands—are servers in use at US public school systems.
While conducting research as a follow-up to our coverage of Baltimore City’s ongoing ransomware attack, Ars discovered that neighboring Baltimore County’s public school system had eight publicly accessible servers that still were running in configurations that indicated they were vulnerable to EternalBlue, the Equation Group exploit exposed by Shadow Brokers in April 2017 and then used as part of the WannaCry malware a month later. The exploit is now packaged as part of multiple malware kits, according to security researchers.
“I’ll check with our IT team”
Ars reached out to a Baltimore County Public Schools (BCPS) spokesperson last week, who responded, “I’ll check with our IT team.” There was no further response from BCPS, but the school system’s IT team has configured filtering for SMB requests on the district’s firewall, based on technical data collected by Ars—the bare minimum required to prevent an attack by a WannaCry clone. It’s not clear if Baltimore County applied the patch for the exploit within its network, however—which means that a malware attack based on EternalBlue could still spread if an attacker gained a foothold on the district’s network.
And unfortunately, there are scores of other school systems and other state and local institutions running exposed servers. And the systems counted are only those directly accessible from the Internet, so they represent just a fraction of the potential vulnerability to ransomware or other malware. Some of the other districts hosting the largest number of potentially vulnerable systems included:
Furthermore, the fact that these systems remain unpatched a full two years after WannaCry—and after Microsoft pushed out emergency patches for even no-longer-supported operating systems—raises the question as to what other critical security patches these organizations didn’t patch.
There are some aberrations in the Shodan data. For example, Shodan associated 230 vulnerable Windows server instances with a public school district in Littleton, Colorado. But that was a misreading of the address blocks associated with the systems—they were, in fact, virtual machines belonging to a German hosting provider that shared the same IP address block. That’s hardly good news—it just shows how pervasive the lack of patching is worldwide.