Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

6/4/2019
05:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Robbinhood: Inside the Ransomware That Slammed Baltimore

Attackers appear to have used a ransomware-as-a-service platform to wage the attack.

It's been nearly one month now since the City of Baltimore was hit with a nasty ransomware attack that locked down its servers and left the city government without email, telecommunications, and disrupted real-estate transactions and bill payments, forcing city offices to rely on Gmail and Google Voice accounts to conduct daily business and support residents.

The city to date continues to struggle in the aftermath without a fully functional email system and other services, but mostly has kept the details of the May 7 attack under wraps. Some security experts meanwhile have obtained and studied samples of the so-called Robbinhood ransomware used in the attack, shedding some light on the code used in the devastating and high-profile attack on a major city and disrupting its operations.

Robbinhood has no known ties to existing malware families, they found, nor does it contain a self-propagation function, meaning it requires another method to spread from machine to machine. There was no sign in its code of the EternalBlue exploit, which was highlighted in a recent New York Times report as a key vehicle for spreading the ransomware in the Baltimore attack. Experts say it's possible the attackers used EternalBlue in at least part of the attack on the city, but they have no proof at this time.

A more common scenario that has become popular among ransomware attackers targeting more financially lucrative targets such as businesses and large organizations is that the attackers planted the ransomware manually, using stolen credentials and the Remote Desktop Protocol (RDP), for example.

Most ransomware attacks today are more manual than worm events: many attackers now initially drop backdoors like Trickbot that gather information about the data and servers on the victim network, and they then target specific servers and systems that look most valuable.

"Threat actors choose infection vectors based on their target. If their target has vulnerable servers or systems that can be exploited, they might use an exploit to deliver ransomware, and EternalBlue is one example of" such an exploit, says Christopher Elisan, director of intelligence at Flashpoint, who has studied a sample of the Robbinhood ransomware. "There was no evidence that EternalBlue was being used to spread Robbinhood. But it's not impossible that EternalBlue was another infection vector."

If a target has some of its user credentials for sale in the Dark Web, for instance, it's sometimes simpler for an attacker to procure those and log in via RDP to plant the malware, he says. "Or if the target doesn't have good user awareness, they might just try using spam."

Joe Stewart, an independent consultant working with Armor on analyzing Robbinhood, found no signs of EternalBlue in Robbinhood's binary code, either. "It actually requires some other method of deployment," Stewart notes. It could be planted manually, or via a domain controller or other dropper, he says. And that dropper could possibly also contain EternalBlue.

"In my scenario, EternalBlue wouldn't give them access to servers, but it would be something they might leverage to get to a workstation that then would give them lateral access to servers to get to the domain controller, etc., to deploy malware on specific, critical systems that would cause the most pain," he explains.

Still a mystery is the first stage of the attack - how the attacker got in and with what, if any malware, he says.

Stewart found that Robbinhood was written in the Golang (aka Go) programming language created by Google. Go is rarely used for ransomware: "We don't see that too terribly often, but it's getting more popular," he says. He says he found no relationship between Robbinhood and any other known malware families.

Like most ransomware today, Robbinhood tries to disable security applications and backup systems, he says. "It will try and disconnect network drives and delete certain extensions in network drives and network shares where backups" are, he says. "That's what you'd expect" in ransomware, he says.

It also appears the Robbinhood attackers are using, or are peddling, Robbinhood as a ransomware-as-a-service. Stewart says the panel interface used by the attacker to communicate with the city in the wake of the attack contains signs of a service model. "It's set up exactly like a multi-tenant system," he says. "The malware is created with the click of a button based on input to the panel," for example. And the malware appears to use an embedded template.

"It seems more like ransomware-as-a-service than somebody hacking it independently and developing its own payload."

He says the same is true for the earlier attack on the City of Greenville, N.C. "It's definitely the same service. The binary we have associated with the Greenville attack is Robbinhood," Stewart says. But each has different IDs embedded in the templates, he says, for the respective targets.

Long Road for Charm City

Most ransomware attacks don't take as long to recover from as Baltimore's incident. According to a recent study by email security service Mimecast, 42% of public sector organizations had been hit with a disruptive ransomware attack in the last month; 44% suffered two to three days of downtime in the wake of a ransomware attack, and 30% suffered four to five days.

"Ultimately ... ransomware today is becoming much more targeted because it's about financial gain," says Josh Douglas, vice president of threat intelligence at Mimecast.

But so far, Baltimore hasn't paid the ransom of $17,600 in bitcoin per system—a total of about $76,280—to the Robbinhood attackers. Mayor Bernard C. "Jack" Young, who previously declared the city would not pay the ransom, did appear to recently leave the door open for a change of heart. His office has not responded to multiple media inquiries about the attack over the past few weeks.

Myles Handy, press secretary for the Baltimore City Council President Brandon Scott, says the city's email and other systems are "in the process" of being brought back online. When the city's systems are fully operational, the Council plans to convene a select committee to study the city's cybersecurity posture and response to the ransomware attack, he says.

The committee will "review the entire attack from the moment we were [attacked] until the moment it was resolved," he says, and will focus on what could have been done and how the investigation into the attack unfolded.

Handy declined to comment on the attack or the now-suspended Twitter account that researchers at Armor since have tied to the actual attacker or attackers that launched Robbinhood on the city's servers, citing the FBI's investigation of the attack.

Adding insult to injury, Robbinhood's attacker for weeks taunted and threatened the mayor to pay the ransom via Twitter, while leaking screenshots of confidential city documents and what purported to be user credentials, via the now-defunct social media account.

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
6/6/2019 | 2:38:17 PM
re: Robbinhood: Inside the Ransomware That Slammed Baltimore
Vulnerable target too - most state and government entities have lousy IT budgets and probable little in the way of any defense points.  Evenso, they do have some money and they have to run 24-7 too.  Same as a hospital but that probably has better defense lines.  So Cities, county and state government are GREAT targets for a hacker.   Most infections (as in North Carolina) begin with one user opening an email and WHAMMO that ends the game.  Government may not have the reseach tool for email digging either so ....... until we know more, also proves NO DISASTER RECOVERY plan, backup protocol in place for a NORMAL server failure. HEY - THOSE HAPPEN TOO ya know.  Sad
Christian Bryant
100%
0%
Christian Bryant,
User Rank: Ninja
6/5/2019 | 9:43:05 PM
re: Robbinhood: Inside the Ransomware That Slammed Baltimore
That's a good point, Kelly.  Much like a lock pick set, a well-made tool and some practice is all you need to gain access.  In reading through past news items, it does seem as if some folks who get nabbed using these tools are not skilled or savvy cybercriminals.  This may be one reason why law enforcement agencies have been hard on coders who have had a hand in programming malware, rootkits and other tools used to commit crimes.  Even if they don't use them for their own gain, the impact is still great with the number of folks trying to use them to achieve malicious ends. 
Kelly Jackson Higgins
100%
0%
Kelly Jackson Higgins,
User Rank: Strategist
6/5/2019 | 6:33:46 PM
re: Robbinhood: Inside the Ransomware That Slammed Baltimore
It doesn't take a hacker to execute a ransomware attack, that's for sure. RaaS makes it eerily easy for anyone to do it, not unlike DDoS-for-hire services. 
lancop
50%
50%
lancop,
User Rank: Apprentice
6/5/2019 | 4:52:51 PM
re: Robbinhood: Inside the Ransomware That Slammed Baltimore
Very informative article! It is very useful to the IT security community to get as much information on the latest exploits as possible in order to stay up-to-date on the malware attack techniques that are being used in the field.

It is logical that ransomware-as-a-service would be a new fertile ground for commercial hacking actors. Why not automate the whole transaction and just watch the money roll in?

In the Information Age, this is exactly what one would expect about now.
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
Florida Town Pays $600K to Ransomware Operators
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-17945
PUBLISHED: 2019-06-24
The ASUS HiVivo aspplication before 5.6.27 for ASUS Watch has Missing SSL Certificate Validation.
CVE-2019-10271
PUBLISHED: 2019-06-24
An issue was discovered in the Ultimate Member plugin 2.39 for WordPress. It allows unauthorized profile and cover picture modification. It is possible to modify the profile and cover picture of any user once one is connected. One can also modify the profiles and cover pictures of privileged users. ...
CVE-2019-12880
PUBLISHED: 2019-06-24
BCN Quark Quarking Password Manager 3.1.84 suffers from a clickjacking vulnerability caused by allowing * within web_accessible_resources. An attacker can take advantage of this vulnerability and cause significant harm.
CVE-2019-9957
PUBLISHED: 2019-06-24
Stored XSS within Quadbase EspressReport ES (ERES) v7.0 update 7 allows remote attackers to execute malicious JavaScript and inject arbitrary source code into the target pages. The XSS payload is stored by creating a new user account, and setting the username to an XSS payload. The stored payload ca...
CVE-2019-9958
PUBLISHED: 2019-06-24
CSRF within the admin panel in Quadbase EspressReport ES (ERES) v7.0 update 7 allows remote attackers to escalate privileges, or create new admin accounts by crafting a malicious web page that issues specific requests, using a target admin's session to process their requests.