{
	"id": "41b5b55e-fea7-4df7-84e9-e4b029140f4e",
	"created_at": "2026-04-06T00:09:57.3631Z",
	"updated_at": "2026-04-10T13:12:55.95483Z",
	"deleted_at": null,
	"sha1_hash": "d7485864d0335815748f343c9736ba36c4601ce2",
	"title": "Baltimore ransomware attack was early attempt at data extortion, new report shows",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 35093,
	"plain_text": "Baltimore ransomware attack was early attempt at data extortion,\r\nnew report shows\r\nBy Benjamin Freed\r\nPublished: 2020-09-25 · Archived: 2026-04-05 15:17:15 UTC\r\nThe May 2019 ransomware attack against Baltimore that debilitated municipal services for weeks, cost the city\r\ngovernment as much as to $18 million and led to the ouster of the city’s chief information officer also included an\r\nearly attempt by hackers pressuring a victim into paying up by threatening to publish stolen data, according to\r\nresearch published this week by the cybersecurity company CrowdStrike.\r\nIn a blog post Thursday, the company said that two days after the Baltimore hack was reported, the actor behind it\r\nposted a message on the dark web threatening to expose or destroy the city’s compromised data, in an attempt to\r\nextort then-Mayor Bernard C. “Jack” Young into paying a ransom of about $76,000.\r\n“Hey, Jack Young and other Baltimore leaders. In 7 June 2019 thats your dead line, well remove all of things weve\r\nhad about your city and you can tell other [redacted] to help you for getting back [redacted]. This final dead line\r\nand never ever gonna back,” read the message from the actor behind the RobbinHood ransomware, which\r\nCrowdStrike calls Outlaw Spider.\r\nYoung refused to pay, but the message now sticks out as an early example of a step that’s since become typical of\r\nransomware incidents.\r\n“Although ineffective, the incident with the [City of Baltimore] and Outlaw Spider was the first instance observed\r\nby CrowdStrike Intelligence of data extortion to incentivize ransom payment,” the CrowdStrike blog reads.\r\nAttempting to extort ransomware victims into paying by threatening to publish stolen files was popularized last\r\nNovember with the rise of Maze malware. The actors behind that ransomware pioneered the tactic of creating a\r\npublicly accessible website where victims are listed, along with samples of stolen files and threats to publish or\r\nsell full volumes of exfiltrated data unless the hackers are paid off. Other well-known ransomware actors,\r\nincluding those behind the REvil and DoppelPaymer malwares, have since adopted the practice. The change in\r\ntactics is natural for an enterprise that’s motivated by making as much money as possible.\r\n“It’s continuing to evolve,” Adam Meyers, CrowdStrike’s vice president of intelligence, told StateScoop in a\r\nphone interview.\r\nMeyers said the extortion sites are an outgrowth of the trend lines seen in ransomware over the past five or six\r\nyears. As cryptocurrency ransoms became more valuable, he said, hackers changed their targets from individual\r\nvictims to enterprises like corporations and government organizations — what CrowdStrike and other\r\ncybersecurity firms call “big game hunting.”\r\nIn attempting to goad victims into paying ransoms by threatening to expose potentially sensitive information,\r\nMeyers said, negotiations between hacker and victim “are commoditized.”\r\nhttps://statescoop.com/baltimore-ransomware-crowdstrike-extortion/\r\nPage 1 of 2\n\n“These guys are financially motivated, they’re in it for the money,” he said.\r\nMeyers said IT organizations need to continue taking many of the oft-recommended cyber hygiene steps,\r\nincluding regular security patching and implementing endpoint-detection tools. But he also said organizations\r\nneed to invest in newer tools like “next-generation” antivirus platforms that use machine learning to detect\r\nmalicious activity.\r\nAnd he also said 2020 has been a good year for ransomware actors and other cybercriminals, which he credited in\r\npart to the fact that the explosion of remote-work environments brought on by the COVID-19 crisis has created\r\nmany more entry points for attackers.\r\n“We’ve seen as many attacks in the first half of 2020 as we did in all of 2019,” he said. “It’s recession proof, it’s\r\npandemic proof.”\r\nMeyers echoed previous findings that cybercriminals are tailoring their phishing messages to play off public\r\nhealth and economic crises.\r\n“Covid’s been a boon for the threat actors because it gave them so many things to capitalize on,” he said. “Threat\r\nactors capitalize on fear or greed. Greed is powerful, but when people think they’re going to die or be out of\r\nbusiness, now you’ve got a much more powerful tool in your quiver.”\r\nSource: https://statescoop.com/baltimore-ransomware-crowdstrike-extortion/\r\nhttps://statescoop.com/baltimore-ransomware-crowdstrike-extortion/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://statescoop.com/baltimore-ransomware-crowdstrike-extortion/"
	],
	"report_names": [
		"baltimore-ransomware-crowdstrike-extortion"
	],
	"threat_actors": [
		{
			"id": "25758a84-d695-44e7-9cd5-3c6e999ce6c0",
			"created_at": "2023-01-06T13:46:39.237624Z",
			"updated_at": "2026-04-10T02:00:03.255835Z",
			"deleted_at": null,
			"main_name": "OUTLAW SPIDER",
			"aliases": [],
			"source_name": "MISPGALAXY:OUTLAW SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "c240435e-8863-4e5b-9f47-20c6f5c52131",
			"created_at": "2022-10-25T16:07:23.253019Z",
			"updated_at": "2026-04-10T02:00:04.505012Z",
			"deleted_at": null,
			"main_name": "Outlaw Spider",
			"aliases": [],
			"source_name": "ETDA:Outlaw Spider",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434197,
	"ts_updated_at": 1775826775,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d7485864d0335815748f343c9736ba36c4601ce2.pdf",
		"text": "https://archive.orkl.eu/d7485864d0335815748f343c9736ba36c4601ce2.txt",
		"img": "https://archive.orkl.eu/d7485864d0335815748f343c9736ba36c4601ce2.jpg"
	}
}