Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

05:00 PM
Connect Directly

Robbinhood: Inside the Ransomware That Slammed Baltimore

Attackers appear to have used a ransomware-as-a-service platform to wage the attack.

It's been nearly one month now since the City of Baltimore was hit with a nasty ransomware attack that locked down its servers and left the city government without email, telecommunications, and disrupted real-estate transactions and bill payments, forcing city offices to rely on Gmail and Google Voice accounts to conduct daily business and support residents.

The city to date continues to struggle in the aftermath without a fully functional email system and other services, but mostly has kept the details of the May 7 attack under wraps. Some security experts meanwhile have obtained and studied samples of the so-called Robbinhood ransomware used in the attack, shedding some light on the code used in the devastating and high-profile attack on a major city and disrupting its operations.

Robbinhood has no known ties to existing malware families, they found, nor does it contain a self-propagation function, meaning it requires another method to spread from machine to machine. There was no sign in its code of the EternalBlue exploit, which was highlighted in a recent New York Times report as a key vehicle for spreading the ransomware in the Baltimore attack. Experts say it's possible the attackers used EternalBlue in at least part of the attack on the city, but they have no proof at this time.

A more common scenario that has become popular among ransomware attackers targeting more financially lucrative targets such as businesses and large organizations is that the attackers planted the ransomware manually, using stolen credentials and the Remote Desktop Protocol (RDP), for example.

Most ransomware attacks today are more manual than worm events: many attackers now initially drop backdoors like Trickbot that gather information about the data and servers on the victim network, and they then target specific servers and systems that look most valuable.

"Threat actors choose infection vectors based on their target. If their target has vulnerable servers or systems that can be exploited, they might use an exploit to deliver ransomware, and EternalBlue is one example of" such an exploit, says Christopher Elisan, director of intelligence at Flashpoint, who has studied a sample of the Robbinhood ransomware. "There was no evidence that EternalBlue was being used to spread Robbinhood. But it's not impossible that EternalBlue was another infection vector."

If a target has some of its user credentials for sale in the Dark Web, for instance, it's sometimes simpler for an attacker to procure those and log in via RDP to plant the malware, he says. "Or if the target doesn't have good user awareness, they might just try using spam."

Joe Stewart, an independent consultant working with Armor on analyzing Robbinhood, found no signs of EternalBlue in Robbinhood's binary code, either. "It actually requires some other method of deployment," Stewart notes. It could be planted manually, or via a domain controller or other dropper, he says. And that dropper could possibly also contain EternalBlue.

"In my scenario, EternalBlue wouldn't give them access to servers, but it would be something they might leverage to get to a workstation that then would give them lateral access to servers to get to the domain controller, etc., to deploy malware on specific, critical systems that would cause the most pain," he explains.

Still a mystery is the first stage of the attack - how the attacker got in and with what, if any malware, he says.

Stewart found that Robbinhood was written in the Golang (aka Go) programming language created by Google. Go is rarely used for ransomware: "We don't see that too terribly often, but it's getting more popular," he says. He says he found no relationship between Robbinhood and any other known malware families.

Like most ransomware today, Robbinhood tries to disable security applications and backup systems, he says. "It will try and disconnect network drives and delete certain extensions in network drives and network shares where backups" are, he says. "That's what you'd expect" in ransomware, he says.

It also appears the Robbinhood attackers are using, or are peddling, Robbinhood as a ransomware-as-a-service. Stewart says the panel interface used by the attacker to communicate with the city in the wake of the attack contains signs of a service model. "It's set up exactly like a multi-tenant system," he says. "The malware is created with the click of a button based on input to the panel," for example. And the malware appears to use an embedded template.

"It seems more like ransomware-as-a-service than somebody hacking it independently and developing its own payload."

He says the same is true for the earlier attack on the City of Greenville, N.C. "It's definitely the same service. The binary we have associated with the Greenville attack is Robbinhood," Stewart says. But each has different IDs embedded in the templates, he says, for the respective targets.

Long Road for Charm City

Most ransomware attacks don't take as long to recover from as Baltimore's incident. According to a recent study by email security service Mimecast, 42% of public sector organizations had been hit with a disruptive ransomware attack in the last month; 44% suffered two to three days of downtime in the wake of a ransomware attack, and 30% suffered four to five days.

"Ultimately ... ransomware today is becoming much more targeted because it's about financial gain," says Josh Douglas, vice president of threat intelligence at Mimecast.

But so far, Baltimore hasn't paid the ransom of $17,600 in bitcoin per system—a total of about $76,280—to the Robbinhood attackers. Mayor Bernard C. "Jack" Young, who previously declared the city would not pay the ransom, did appear to recently leave the door open for a change of heart. His office has not responded to multiple media inquiries about the attack over the past few weeks.

Myles Handy, press secretary for the Baltimore City Council President Brandon Scott, says the city's email and other systems are "in the process" of being brought back online. When the city's systems are fully operational, the Council plans to convene a select committee to study the city's cybersecurity posture and response to the ransomware attack, he says.

The committee will "review the entire attack from the moment we were [attacked] until the moment it was resolved," he says, and will focus on what could have been done and how the investigation into the attack unfolded.

Handy declined to comment on the attack or the now-suspended Twitter account that researchers at Armor since have tied to the actual attacker or attackers that launched Robbinhood on the city's servers, citing the FBI's investigation of the attack.

Adding insult to injury, Robbinhood's attacker for weeks taunted and threatened the mayor to pay the ransom via Twitter, while leaking screenshots of confidential city documents and what purported to be user credentials, via the now-defunct social media account.

Related Content:

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
6/6/2019 | 2:38:17 PM
re: Robbinhood: Inside the Ransomware That Slammed Baltimore
Vulnerable target too - most state and government entities have lousy IT budgets and probable little in the way of any defense points.  Evenso, they do have some money and they have to run 24-7 too.  Same as a hospital but that probably has better defense lines.  So Cities, county and state government are GREAT targets for a hacker.   Most infections (as in North Carolina) begin with one user opening an email and WHAMMO that ends the game.  Government may not have the reseach tool for email digging either so ....... until we know more, also proves NO DISASTER RECOVERY plan, backup protocol in place for a NORMAL server failure. HEY - THOSE HAPPEN TOO ya know.  Sad
User Rank: Ninja
6/5/2019 | 9:43:05 PM
re: Robbinhood: Inside the Ransomware That Slammed Baltimore
That's a good point, Kelly.  Much like a lock pick set, a well-made tool and some practice is all you need to gain access.  In reading through past news items, it does seem as if some folks who get nabbed using these tools are not skilled or savvy cybercriminals.  This may be one reason why law enforcement agencies have been hard on coders who have had a hand in programming malware, rootkits and other tools used to commit crimes.  Even if they don't use them for their own gain, the impact is still great with the number of folks trying to use them to achieve malicious ends. 
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
6/5/2019 | 6:33:46 PM
re: Robbinhood: Inside the Ransomware That Slammed Baltimore
It doesn't take a hacker to execute a ransomware attack, that's for sure. RaaS makes it eerily easy for anyone to do it, not unlike DDoS-for-hire services. 
User Rank: Moderator
6/5/2019 | 4:52:51 PM
re: Robbinhood: Inside the Ransomware That Slammed Baltimore
Very informative article! It is very useful to the IT security community to get as much information on the latest exploits as possible in order to stay up-to-date on the malware attack techniques that are being used in the field.

It is logical that ransomware-as-a-service would be a new fertile ground for commercial hacking actors. Why not automate the whole transaction and just watch the money roll in?

In the Information Age, this is exactly what one would expect about now.
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-24
Cross Site Scripting (XSS) vulnerability in gnuboard5 <=v5.3.2.8 via the url parameter to bbs/login.php.
PUBLISHED: 2021-06-24
CRMEB 3.1.0+ is vulnerable to File Upload Getshell via /crmeb/crmeb/services/UploadService.php.
PUBLISHED: 2021-06-24
In CRMEB 3.1.0+ strict domain name filtering leads to SSRF(Server-Side Request Forgery). The vulnerable code is in file /crmeb/app/admin/controller/store/CopyTaobao.php.
PUBLISHED: 2021-06-24
All versions of package react-bootstrap-table are vulnerable to Cross-site Scripting (XSS) via the dataFormat parameter. The problem is triggered when an invalid React element is returned, leading to dangerouslySetInnerHTML being used, which does not sanitize the output.
PUBLISHED: 2021-06-24
An issue was discovered in JFinal framework v4.9.10 and below. The "set" method of the "Controller" class of jfinal framework is not strictly filtered, which will lead to XSS vulnerabilities in some cases.