It's been nearly one month now since the City of Baltimore was hit with a nasty ransomware attack that locked down its servers and left the city government without email, telecommunications, and disrupted real-estate transactions and bill payments, forcing city offices to rely on Gmail and Google Voice accounts to conduct daily business and support residents.
The city to date continues to struggle in the aftermath without a fully functional email system and other services, but mostly has kept the details of the May 7 attack under wraps. Some security experts meanwhile have obtained and studied samples of the so-called Robbinhood ransomware used in the attack, shedding some light on the code used in the devastating and high-profile attack on a major city and disrupting its operations.
Robbinhood has no known ties to existing malware families, they found, nor does it contain a self-propagation function, meaning it requires another method to spread from machine to machine. There was no sign in its code of the EternalBlue exploit, which was highlighted in a recent New York Times report as a key vehicle for spreading the ransomware in the Baltimore attack. Experts say it's possible the attackers used EternalBlue in at least part of the attack on the city, but they have no proof at this time.
A more common scenario that has become popular among ransomware attackers targeting more financially lucrative targets such as businesses and large organizations is that the attackers planted the ransomware manually, using stolen credentials and the Remote Desktop Protocol (RDP), for example.
Most ransomware attacks today are more manual than worm events: many attackers now initially drop backdoors like Trickbot that gather information about the data and servers on the victim network, and they then target specific servers and systems that look most valuable.
"Threat actors choose infection vectors based on their target. If their target has vulnerable servers or systems that can be exploited, they might use an exploit to deliver ransomware, and EternalBlue is one example of" such an exploit, says Christopher Elisan, director of intelligence at Flashpoint, who has studied a sample of the Robbinhood ransomware. "There was no evidence that EternalBlue was being used to spread Robbinhood. But it's not impossible that EternalBlue was another infection vector."
If a target has some of its user credentials for sale in the Dark Web, for instance, it's sometimes simpler for an attacker to procure those and log in via RDP to plant the malware, he says. "Or if the target doesn't have good user awareness, they might just try using spam."
Joe Stewart, an independent consultant working with Armor on analyzing Robbinhood, found no signs of EternalBlue in Robbinhood's binary code, either. "It actually requires some other method of deployment," Stewart notes. It could be planted manually, or via a domain controller or other dropper, he says. And that dropper could possibly also contain EternalBlue.
"In my scenario, EternalBlue wouldn't give them access to servers, but it would be something they might leverage to get to a workstation that then would give them lateral access to servers to get to the domain controller, etc., to deploy malware on specific, critical systems that would cause the most pain," he explains.
Still a mystery is the first stage of the attack - how the attacker got in and with what, if any malware, he says.
Stewart found that Robbinhood was written in the Golang (aka Go) programming language created by Google. Go is rarely used for ransomware: "We don't see that too terribly often, but it's getting more popular," he says. He says he found no relationship between Robbinhood and any other known malware families.
Like most ransomware today, Robbinhood tries to disable security applications and backup systems, he says. "It will try and disconnect network drives and delete certain extensions in network drives and network shares where backups" are, he says. "That's what you'd expect" in ransomware, he says.
It also appears the Robbinhood attackers are using, or are peddling, Robbinhood as a ransomware-as-a-service. Stewart says the panel interface used by the attacker to communicate with the city in the wake of the attack contains signs of a service model. "It's set up exactly like a multi-tenant system," he says. "The malware is created with the click of a button based on input to the panel," for example. And the malware appears to use an embedded template.
"It seems more like ransomware-as-a-service than somebody hacking it independently and developing its own payload."
He says the same is true for the earlier attack on the City of Greenville, N.C. "It's definitely the same service. The binary we have associated with the Greenville attack is Robbinhood," Stewart says. But each has different IDs embedded in the templates, he says, for the respective targets.
Long Road for Charm City
Most ransomware attacks don't take as long to recover from as Baltimore's incident. According to a recent study by email security service Mimecast, 42% of public sector organizations had been hit with a disruptive ransomware attack in the last month; 44% suffered two to three days of downtime in the wake of a ransomware attack, and 30% suffered four to five days.
"Ultimately ... ransomware today is becoming much more targeted because it's about financial gain," says Josh Douglas, vice president of threat intelligence at Mimecast.
But so far, Baltimore hasn't paid the ransom of $17,600 in bitcoin per system—a total of about $76,280—to the Robbinhood attackers. Mayor Bernard C. "Jack" Young, who previously declared the city would not pay the ransom, did appear to recently leave the door open for a change of heart. His office has not responded to multiple media inquiries about the attack over the past few weeks.
Myles Handy, press secretary for the Baltimore City Council President Brandon Scott, says the city's email and other systems are "in the process" of being brought back online. When the city's systems are fully operational, the Council plans to convene a select committee to study the city's cybersecurity posture and response to the ransomware attack, he says.
The committee will "review the entire attack from the moment we were [attacked] until the moment it was resolved," he says, and will focus on what could have been done and how the investigation into the attack unfolded.
Handy declined to comment on the attack or the now-suspended Twitter account that researchers at Armor since have tied to the actual attacker or attackers that launched Robbinhood on the city's servers, citing the FBI's investigation of the attack.
Adding insult to injury, Robbinhood's attacker for weeks taunted and threatened the mayor to pay the ransom via Twitter, while leaking screenshots of confidential city documents and what purported to be user credentials, via the now-defunct social media account.