Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

05:00 PM
Connect Directly

Robbinhood: Inside the Ransomware That Slammed Baltimore

Attackers appear to have used a ransomware-as-a-service platform to wage the attack.

It's been nearly one month now since the City of Baltimore was hit with a nasty ransomware attack that locked down its servers and left the city government without email, telecommunications, and disrupted real-estate transactions and bill payments, forcing city offices to rely on Gmail and Google Voice accounts to conduct daily business and support residents.

The city to date continues to struggle in the aftermath without a fully functional email system and other services, but mostly has kept the details of the May 7 attack under wraps. Some security experts meanwhile have obtained and studied samples of the so-called Robbinhood ransomware used in the attack, shedding some light on the code used in the devastating and high-profile attack on a major city and disrupting its operations.

Robbinhood has no known ties to existing malware families, they found, nor does it contain a self-propagation function, meaning it requires another method to spread from machine to machine. There was no sign in its code of the EternalBlue exploit, which was highlighted in a recent New York Times report as a key vehicle for spreading the ransomware in the Baltimore attack. Experts say it's possible the attackers used EternalBlue in at least part of the attack on the city, but they have no proof at this time.

A more common scenario that has become popular among ransomware attackers targeting more financially lucrative targets such as businesses and large organizations is that the attackers planted the ransomware manually, using stolen credentials and the Remote Desktop Protocol (RDP), for example.

Most ransomware attacks today are more manual than worm events: many attackers now initially drop backdoors like Trickbot that gather information about the data and servers on the victim network, and they then target specific servers and systems that look most valuable.

"Threat actors choose infection vectors based on their target. If their target has vulnerable servers or systems that can be exploited, they might use an exploit to deliver ransomware, and EternalBlue is one example of" such an exploit, says Christopher Elisan, director of intelligence at Flashpoint, who has studied a sample of the Robbinhood ransomware. "There was no evidence that EternalBlue was being used to spread Robbinhood. But it's not impossible that EternalBlue was another infection vector."

If a target has some of its user credentials for sale in the Dark Web, for instance, it's sometimes simpler for an attacker to procure those and log in via RDP to plant the malware, he says. "Or if the target doesn't have good user awareness, they might just try using spam."

Joe Stewart, an independent consultant working with Armor on analyzing Robbinhood, found no signs of EternalBlue in Robbinhood's binary code, either. "It actually requires some other method of deployment," Stewart notes. It could be planted manually, or via a domain controller or other dropper, he says. And that dropper could possibly also contain EternalBlue.

"In my scenario, EternalBlue wouldn't give them access to servers, but it would be something they might leverage to get to a workstation that then would give them lateral access to servers to get to the domain controller, etc., to deploy malware on specific, critical systems that would cause the most pain," he explains.

Still a mystery is the first stage of the attack - how the attacker got in and with what, if any malware, he says.

Stewart found that Robbinhood was written in the Golang (aka Go) programming language created by Google. Go is rarely used for ransomware: "We don't see that too terribly often, but it's getting more popular," he says. He says he found no relationship between Robbinhood and any other known malware families.

Like most ransomware today, Robbinhood tries to disable security applications and backup systems, he says. "It will try and disconnect network drives and delete certain extensions in network drives and network shares where backups" are, he says. "That's what you'd expect" in ransomware, he says.

It also appears the Robbinhood attackers are using, or are peddling, Robbinhood as a ransomware-as-a-service. Stewart says the panel interface used by the attacker to communicate with the city in the wake of the attack contains signs of a service model. "It's set up exactly like a multi-tenant system," he says. "The malware is created with the click of a button based on input to the panel," for example. And the malware appears to use an embedded template.

"It seems more like ransomware-as-a-service than somebody hacking it independently and developing its own payload."

He says the same is true for the earlier attack on the City of Greenville, N.C. "It's definitely the same service. The binary we have associated with the Greenville attack is Robbinhood," Stewart says. But each has different IDs embedded in the templates, he says, for the respective targets.

Long Road for Charm City

Most ransomware attacks don't take as long to recover from as Baltimore's incident. According to a recent study by email security service Mimecast, 42% of public sector organizations had been hit with a disruptive ransomware attack in the last month; 44% suffered two to three days of downtime in the wake of a ransomware attack, and 30% suffered four to five days.

"Ultimately ... ransomware today is becoming much more targeted because it's about financial gain," says Josh Douglas, vice president of threat intelligence at Mimecast.

But so far, Baltimore hasn't paid the ransom of $17,600 in bitcoin per system—a total of about $76,280—to the Robbinhood attackers. Mayor Bernard C. "Jack" Young, who previously declared the city would not pay the ransom, did appear to recently leave the door open for a change of heart. His office has not responded to multiple media inquiries about the attack over the past few weeks.

Myles Handy, press secretary for the Baltimore City Council President Brandon Scott, says the city's email and other systems are "in the process" of being brought back online. When the city's systems are fully operational, the Council plans to convene a select committee to study the city's cybersecurity posture and response to the ransomware attack, he says.

The committee will "review the entire attack from the moment we were [attacked] until the moment it was resolved," he says, and will focus on what could have been done and how the investigation into the attack unfolded.

Handy declined to comment on the attack or the now-suspended Twitter account that researchers at Armor since have tied to the actual attacker or attackers that launched Robbinhood on the city's servers, citing the FBI's investigation of the attack.

Adding insult to injury, Robbinhood's attacker for weeks taunted and threatened the mayor to pay the ransom via Twitter, while leaking screenshots of confidential city documents and what purported to be user credentials, via the now-defunct social media account.

Related Content:

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
6/6/2019 | 2:38:17 PM
re: Robbinhood: Inside the Ransomware That Slammed Baltimore
Vulnerable target too - most state and government entities have lousy IT budgets and probable little in the way of any defense points.  Evenso, they do have some money and they have to run 24-7 too.  Same as a hospital but that probably has better defense lines.  So Cities, county and state government are GREAT targets for a hacker.   Most infections (as in North Carolina) begin with one user opening an email and WHAMMO that ends the game.  Government may not have the reseach tool for email digging either so ....... until we know more, also proves NO DISASTER RECOVERY plan, backup protocol in place for a NORMAL server failure. HEY - THOSE HAPPEN TOO ya know.  Sad
User Rank: Ninja
6/5/2019 | 9:43:05 PM
re: Robbinhood: Inside the Ransomware That Slammed Baltimore
That's a good point, Kelly.  Much like a lock pick set, a well-made tool and some practice is all you need to gain access.  In reading through past news items, it does seem as if some folks who get nabbed using these tools are not skilled or savvy cybercriminals.  This may be one reason why law enforcement agencies have been hard on coders who have had a hand in programming malware, rootkits and other tools used to commit crimes.  Even if they don't use them for their own gain, the impact is still great with the number of folks trying to use them to achieve malicious ends. 
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
6/5/2019 | 6:33:46 PM
re: Robbinhood: Inside the Ransomware That Slammed Baltimore
It doesn't take a hacker to execute a ransomware attack, that's for sure. RaaS makes it eerily easy for anyone to do it, not unlike DDoS-for-hire services. 
User Rank: Moderator
6/5/2019 | 4:52:51 PM
re: Robbinhood: Inside the Ransomware That Slammed Baltimore
Very informative article! It is very useful to the IT security community to get as much information on the latest exploits as possible in order to stay up-to-date on the malware attack techniques that are being used in the field.

It is logical that ransomware-as-a-service would be a new fertile ground for commercial hacking actors. Why not automate the whole transaction and just watch the money roll in?

In the Information Age, this is exactly what one would expect about now.
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-11-30
SQL injection vulnerability in request.cgi in Synology SafeAccess before 1.2.3-0234 allows remote attackers to execute arbitrary SQL commands via the domain parameter.
PUBLISHED: 2020-11-30
Multiple cross-site scripting (XSS) vulnerabilities in Synology SafeAccess before 1.2.3-0234 allow remote attackers to inject arbitrary web script or HTML via the (1) domain or (2) profile parameter.
PUBLISHED: 2020-11-30
An issue was discovered on Fujitsu Eternus Storage DX200 S4 devices through 2020-11-25. After logging into the portal as a root user (using any web browser), the portal can be accessed with root privileges when the URI cgi-bin/csp?cspid=&csppage=cgi_PgOverview&csplang=en is visit...
PUBLISHED: 2020-11-30
hw/usb/hcd-ohci.c in QEMU 5.0.0 has a stack-based buffer over-read via values obtained from the host controller driver.
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. It is possible to elevate the privilege of a CLI user (to full administrative access) by using the password [email protected]#y$z%x6x7q8c9z) for the e...