Robbinhood: Inside the Ransomware That Slammed Baltimore

  /     /     /  
Publicated : 23/11/2024   Category : security


Robbinhood: Inside the Ransomware That Slammed Baltimore


Attackers appear to have used a ransomware-as-a-service platform to wage the attack.



Its been nearly one month now since the City of Baltimore was hit with a nasty ransomware attack that locked down its servers and left the city government without email, telecommunications, and disrupted real-estate transactions and bill payments, forcing city offices to rely on Gmail and Google Voice accounts to conduct daily business and support residents.
The city to date continues to struggle in the aftermath without a fully functional email system and other services, but mostly has kept the details of the
May 7 attack
under wraps. Some security experts meanwhile have obtained and studied samples of the so-called Robbinhood ransomware used in the attack, shedding some light on the code used in the devastating and high-profile attack on a major city and disrupting its operations.
Robbinhood has no known ties to existing malware families, they found, nor does it contain a self-propagation function, meaning it requires another method to spread from machine to machine. There was no sign in its code of the EternalBlue exploit, which was highlighted in
a recent New York Times report
 as a key vehicle for spreading the ransomware in the Baltimore attack. Experts say its possible the attackers used EternalBlue in at least part of the attack on the city, but they have no proof at this time.
A more common scenario that has become popular among ransomware attackers targeting more financially lucrative targets such as businesses and large organizations is that the attackers planted the ransomware manually, using stolen credentials and the Remote Desktop Protocol (RDP), for example.
Most ransomware attacks today are more manual than worm events: many attackers now initially drop backdoors like Trickbot that gather information about the data and servers on the victim network, and they
then target specific servers and systems
that look most valuable.
Threat actors choose infection vectors based on their target. If their target has vulnerable servers or systems that can be exploited, they might use an exploit to deliver ransomware, and EternalBlue is one example of such an exploit, says Christopher Elisan, director of intelligence at Flashpoint, who has studied a sample of the Robbinhood ransomware. There was no evidence that EternalBlue was being used to spread Robbinhood. But its not impossible that EternalBlue was another infection vector.
If a target has some of its user credentials for sale in the Dark Web, for instance, its sometimes simpler for an attacker to procure those and log in via RDP to plant the malware, he says. Or if the target doesnt have good user awareness, they might just try using spam.
Joe Stewart, an independent consultant working with Armor on analyzing Robbinhood, found no signs of EternalBlue in Robbinhoods binary code, either. It actually requires some other method of deployment, Stewart notes. It could be planted manually, or via a domain controller or other dropper, he says. And that dropper could possibly also contain EternalBlue.
In my scenario, EternalBlue wouldnt give them access to servers, but it would be something they might leverage to get to a workstation that then would give them lateral access to servers to get to the domain controller, etc., to deploy malware on specific, critical systems that would cause the most pain, he explains.
Still a mystery is the first stage of the attack - how the attacker got in and with what, if any malware, he says.
Stewart found that Robbinhood was written in the Golang (aka Go) programming language created by Google. Go is rarely used for ransomware: We dont see that too terribly often, but its getting more popular, he says. He says he found no relationship between Robbinhood and any other known malware families.
Like most ransomware today, Robbinhood tries to disable security applications and backup systems, he says. It will try and disconnect network drives and delete certain extensions in network drives and network shares where backups are, he says. Thats what youd expect in ransomware, he says.
It also appears the Robbinhood attackers are using, or are peddling, Robbinhood as a ransomware-as-a-service. Stewart says the panel interface used by the attacker to communicate with the city in the wake of the attack contains signs of a service model. Its set up exactly like a multi-tenant system, he says. The malware is created with the click of a button based on input to the panel, for example. And the malware appears to use an embedded template.
It seems more like ransomware-as-a-service than somebody hacking it independently and developing its own payload.
He says the same is true for the earlier attack on the City of Greenville, N.C. Its definitely the same service. The binary we have associated with the Greenville attack is Robbinhood, Stewart says. But each has different IDs embedded in the templates, he says, for the respective targets.
Long Road for Charm City
Most ransomware attacks dont take as long to recover from as Baltimores incident. According to
a recent study
by email security service Mimecast, 42% of public sector organizations had been hit with a disruptive ransomware attack in the last month; 44% suffered two to three days of downtime in the wake of a ransomware attack, and 30% suffered four to five days.
Ultimately ... ransomware today is becoming much more targeted because its about financial gain, says Josh Douglas, vice president of threat intelligence at Mimecast.
But so far, Baltimore hasnt paid the ransom of $17,600 in bitcoin per system—a total of about $76,280—to the Robbinhood attackers. Mayor Bernard C. Jack Young, who previously declared the city would not pay the ransom, did appear to recently
leave the door open
for a change of heart. His office has not responded to multiple media inquiries about the attack over the past few weeks.
Myles Handy, press secretary for the Baltimore City Council President Brandon Scott, says the citys email and other systems are in the process of being brought back online. When the citys systems are fully operational, the Council plans to convene a select committee to study the citys cybersecurity posture and response to the ransomware attack, he says.
The committee will review the entire attack from the moment we were [attacked] until the moment it was resolved, he says, and will focus on what could have been done and how the investigation into the attack unfolded.
Handy declined to comment on the attack or the now-suspended Twitter account that researchers at Armor since have tied to the actual attacker or attackers that launched Robbinhood on the citys servers, citing the FBIs investigation of the attack.
Adding insult to injury,
Robbinhoods attacker for weeks taunted
and threatened the mayor to pay the ransom via Twitter, while leaking screenshots of confidential city documents and what purported to be user credentials, via the now-defunct social media account.
Related Content:
Baltimore Ransomware Attack Takes Strange Twist
Baltimore Hit with Hack on 911 System
The Ransomware Dilemma: What if Your Local Government Is Next?
7 Recent Wins Against Cybercrime

Last News

▸ 27 Million South Koreans Hit by Online Gaming Theft. ◂
Discovered: 23/12/2024
Category: security

▸ Homeland Security Background Checks Breach Raises Concerns. ◂
Discovered: 23/12/2024
Category: security

▸ Fully committed to the future world of technology. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Robbinhood: Inside the Ransomware That Slammed Baltimore