RobbinHood ransomware hits Baltimore
A ransomware attack struck the Baltimore city government computer network. On Twitter, Baltimore Mayor Bernard Young said the city has shut down most of its servers due to the infection, but critical services, including EMS, police, fire, and 311, are still operational. Mayor Young wrote that "City employees are working diligently to determine the source and extent of the infection. At this time, we have seen no evidence that any personal data has left the system." Meanwhile, the Baltimore Department of Public Works tweeted that email service and phone lines to customer support are also down.
According to The Baltimore Sun, the hackers left a note identifying the ransomware as RobbinHood, the same strain that affected the city of Greenville, N.C. last month. The ransom message on Baltimore's computer system said RobbinHood used a file-locking virus that encrypts files to take them hostage. The hackers are demanding 3 Bitcoins, around $17,600, per system, or 13 Bitcoins, about $76,280 to unlock them all. They threatened to increase the price after four days, and said the city won't get its data back if it doesn't pay up within 10 days.
Security researcher Vitali Kremez, who recently reverse engineered a sample of RobbinHood, stated that the malware appears to target only files on a single system and does not spread through network shares. It is believed to be spread directly to the individual machines via psexec and / or domain controller compromise. The reason behind it is that the ransomware itself does not have any network spreading capabilities and is meant to be deployed for each machine individually. What that means is that the hacker would need to already have gained administrative level access to a system on the network due to the way the ransomware interacts with C:WindowsTemp directory.
In addition to requiring execution on each machine, RobbinHood also requires that a public RSA key already be present on the targeted computer in order to begin encryption of the files. That means that the hacker likely deploys it in multiple steps, from obtaining access to the network in question, moving laterally to obtain administrative privileges for a domain controller or via psexec, deploy and save public RSA key and ransomware on each machine and then execute it. Before it begins encryption, RobbinHood malware shuts down all connections to shared network directories with a net use * /DELETE /Y command and then runs through 181 Windows service shutdown commands, including disabling multiple malware protection tools, backup agents, and email, database, and Internet Information Server (IIS) administrative services. That string of commands, which starts with an attempt to shut down Kaspersky's AVP agent, would create a lot of noise on any management system monitoring Windows systems' event logs.
Just over a year ago, Baltimore’s 911 system was attacked by ransomware when maintenance on the city's networks briefly left gaps in a firewall. The firewall change was apparently only four hours old before the hackers exploited it. Baltimore Chief Information Officer Frank Johnson insisted that the city's information security provisions had been audited and were up to date. Johnson stated, "We've been assessed several times since I've been here, and we've gotten multiple clean bills of health. We have a very good capability. Unfortunately, it's a race between bad actors and the cyber security industry."
In his press conference, Mayor Young said it was uncertain how long the city's systems would be offline. "There is a backup system with the IT department," he said, "but we can't just go and restore because we don’t know how far back the virus goes. So I don’t want people to think that Baltimore doesn’t have a backup." In the meantime, Young said, city employees would have to switch to doing things manually. If city workers are idle for a substantial amount of time, Young said that he might ask them to "help clean up the city."