Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

6/3/2020
03:15 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Chasing RobbinHood: Up Close with an Evolving Threat

A security researcher details how RobbinHood has changed and why it remains a threat for businesses to watch.

It has been over a year since ransomware-as-a-service RobbinHood appeared in a major attack against the city government of Baltimore. While initially described as amateur and unsophisticated among cybersecurity pros, the ransomware has since changed in ways that make it a threat to watch.

James Jackson, an independent researcher who aided a global shipping firm in the aftermath of NotPetya and currently works for a multinational intelligence and consulting business, has been analyzing RobbinHood to trace its evolution. He discovered 19 RobbinHood binaries and linked six to confirmed attacks. The research led him to identify four distinct versions of the RobbinHood ransomware, each of which demonstrates growth in functionality and maturity.

"In a very short period of time, [RobbinHood] has rapidly advanced," Jackson says. "The fact they've escalated and refined their attack in a very short period of time, and developed an exploit with a malicious driver, indicates expertise and gearing up."

Version 0.1 of RobbinHood, used to target the cities of Baltimore and Greenville, is considered the most simplistic and unsophisticated. It functions to stop computer services that could stop it from running, encrypt local files, and deploy a ransom note demanding payment in exchange for the files' return. It's noisy and noticeable, Jackson says, and the attackers only implemented crude means from preventing security researchers from analyzing the malware in a sandbox.

"The overarching theme from version one of the malware is that it was incredibly simplistic and it was fraught with problems and errors," he explains. Despite the damage it caused Baltimore, early analysis of RobbinHood revealed "juvenile naivety that was difficult to ignore," he wrote in a blog post. From there, RobbinHood underwent a series of minor and significant changes.

There are many reasons why RobbinHood's attackers may have been motivated to improve. One driver may have been the ease of recovery. "They've realized not only is the ransomware unsophisticated and amateur, but that's having a direct impact on the profitability of this enterprise," Jackson says. Of the six Bitcoin addresses he discovered, five belonged to v0.1 and none had ever contained any funds. This could indicate early versions were not successful.

Version 0.2 appeared in mid-June 2019, slightly more advanced than its predecessor. In this edition, attackers made it harder to extract embedded text from inside the malware. Function names were obfuscated, and the text listing services to stop was encoded. The second version also tried to kill running processes before encryption and had a function to clear Windows Event Logs, though Jackson points out this never seems to execute in ransomware attacks.

RobbinHood operators waited longer to launch version 0.3, which arrived in late January 2020 with a reference to a "RobinHood2" folder and dropped the obfuscation, though embedded text was still encoded. This version was built to erase event logs and use pattern matching to find and stop services, which made it more effective in finding and disabling security software. 

Jackson notes erasing event logs is interesting, as there are more important forensic artifacts they don't delete. This could indicate they are intentionally deleting evidence and are bad at it, or they're deleting evidence to hinder response. Both possibilities could be significant in profiling the group: The former indicates low sophistication; the latter, a strong "arsonist" trait, he adds.

Bringing Bigger Changes: v0.3 to v0.4
Version 0.4 appeared only a few months later, in late April, but brought the biggest change to RobbinHood since its 2019 launch. As Jackson points out in his writeup, a comparison of the internal functions in v0.1 and v0.4 revealed the two versions share only 23% of the same code.

This version references a folder dubbed "RobbinHood6.1" and brought additional functions and design improvements. It returns to using a hard-coded list of services and processes to block; however, the list was adjusted to stop services that constantly write data to a computer. This boosts the reliability of encryption, he notes, and minimizes the likelihood of data loss. Versions 0.3 and 0.4 also attempt to change all user account passwords on the system.

Between v0.3 and v0.4, RobbinHood's operators became more concerned with services that could compromise the encryption process, Jackson says. They also created and weaponized a malicious driver to handle this for them. RobbinHood attacks seen during this time exploit a legitimate and digitally signed hardware driver to delete security tools before encrypting files.

The group has demonstrated the ability to decrypt data, he adds. However, there is a higher likelihood that decryption may not be possible even with the group assistance. RobbinHood's encryption process involves using public keys to encrypt a randomly generated AES key and attacker that data to the target file. If an error occurred, the AES key may not be recoverable. 

One malicious feature in v0.4 is its ability to identify and remove files prior to encryption. The logic is seemingly targeting backups; however, it may capture data victims may want decrypted. The Ryuk ransomware attackers use manual tactics to delete backups, Jackson points out as an example of another group's strategy. The automated tactic here is comparatively less effective: RobbinHood looks for files with specific extensions, which he says has a low chance of working. If they improve on their handling of backups, there may be more people forced to pay ransom. 

"The execution of attackers is interesting in that it's no replacement for what the Ryuk attackers do when they manually target and destroy backup services, which is always going to be much more effective," he explains. The RobbinHood attackers "have some skills up their sleeve, but the way they execute is relatively ineffective." Jackson has not seen evidence indicating RobbinHood attackers have tried to manually identify and delete backups. He does note that the group demonstrates concern with leaving behind forensic evidence.

At the moment, there is insufficient evidence to conclude who is behind RobbinHood or where they are located, Jackson says. While there are some hints in how these attacks are launched, it's easy for operators to adjust components and techniques to mislead security researchers.

"One of the big issues with attribution is … it's so easy to put those details there on purpose or run a black-flag operation and make it seem like a malware is coming out of country X when it's coming out of country Y," he says.

Related Content:

 
 
 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register
 
Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27605
PUBLISHED: 2020-10-21
BigBlueButton through 2.2.8 uses Ghostscript for processing of uploaded EPS documents, and consequently may be subject to attacks related to a "schwache Sandbox."
CVE-2020-27606
PUBLISHED: 2020-10-21
BigBlueButton before 2.2.8 (or earlier) does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.
CVE-2020-27607
PUBLISHED: 2020-10-21
In BigBlueButton before 2.2.8 (or earlier), the client-side Mute button only signifies that the server should stop accepting audio data from the client. It does not directly configure the client to stop sending audio data to the server, and thus a modified server could store the audio data and/or tr...
CVE-2020-27608
PUBLISHED: 2020-10-21
In BigBlueButton before 2.2.8 (or earlier), uploaded presentations are sent to clients without a Content-Type header, which allows XSS, as demonstrated by a .png file extension for an HTML document.
CVE-2020-27609
PUBLISHED: 2020-10-21
BigBlueButton through 2.2.8 records a video meeting despite the deactivation of video recording in the user interface. This may result in data storage beyond what is authorized for a specific meeting topic or participant.