Baltimore Recovering From Second Ransomware AttackThis Time, City Hit with RobbinHood Malware
Baltimore is recovering from another ransomware attack - the second in a little over a year.
Baltimore CIO Frank Johnson told reporters at a Wednesday press conference that the FBI is investigating the latest attack, which has crippled several of the city's information systems and municipal services since mid-day Tuesday. The city's 911 and 311 phone systems, along with the public safety agencies, were not affected.
"We discovered sometime early yesterday [Tuesday] morning that the city was infected with the very aggressive RobbinHood ransomware," Johnson says. "The FBI is investigating this certain incident and has confirmed that it is a fairly new variant and it's quite aggressive. Right now, technicians are trying to remediate the root cause to find out what's been impacted and affected. And we can say with confidence that public safety systems are up and operational."
Johnson said that other city systems remained offline Wednesday, and he did not have a timeframe as to when they would be restored. The city had recently received a clean bill of health for its cybersecurity awareness preparation, he noted, and all employees have gone through security awareness training.
Baltimore Mayor Bernard C. "Jack" Young said that, for now, municipal workers would revert to manual processes to keep the city functioning. He added that Baltimore has a backup system, but that IT workers would not be able to access it until they know the ransomware is contained.
Young, who only recently took over as mayor, added that the city would not pay the ransom demanded by the attackers, and he said that it did not appear that any personal data had been compromised.
RobbinHood Steals From Governments
The RobbinHood ransomware variant is relatively new malware that researchers first started to notice earlier this year. Whoever is behind this particular strain is attempting to target cities and municipalities in search of ransom.
In April, officials with the city of Greenville, North Carolina, reported that RobbinHood ransomware infected their systems and that the FBI had started an investigation into the incident, according to WITN-TV.
Local governments are vulnerable to these types of attacks, which encrypt data, because it's difficult to keep up with changes the threat actors make to the malware they use, says Bill Siegel, the CEO of Coveware , an incident response firm.
"Baltimore being attacked again almost a year later demonstrates the challenges any organization, particularly municipal organizations, have in remaining secure," Siegel tells Information Security Media Group. "Attack vectors change constantly, and while patching the vulnerability that made the 2018 attack possible is a step in the right direction, it does not mean the risk is gone."
Not much is known about RobbinHood or the group behind it. But Vitali Kremez, a cybercrime researcher who has been tracking the ransomware and has reversed engineered it, wrote on Twitter Tuesday that RobbinHood mimics the SamSam extortion method but uses a different payload and server-side attack (see: Two Iranians Charged in SamSam Ransomware Attacks).
2019-05-07: [Emerging] "#RobbinHood" #Ransomware Disrupts Baltimore City |— Vitali Kremez (@VK_Intel) May 8, 2019
cc @malwrhunterteam as tracking extensively
This Golang ransomware is on the rise lately mimicking on a high level #SamSam extortion method but with the different payload and server-side. https://t.co/fAnmrMbVHC
In an interview earlier this year with BleepingComputer, Kremez noted that RobbinHood will stop 181 Windows services, including anti-virus, database, mail server and others that could keep files open and prevent their encryption. The ransomware also disconnects all network shares, which allows the attacker to target individual machines.
In the latest Baltimore incident, the attackers demanded that the city pay a ransom of three bitcoins for a decryption key for each affected system, according to the Baltimore Sun, which obtained a copy of the ransom note. Under current prices, three bitcoins equal $17,600. The attackers offered to decrypt all affected systems for a total of 13 bitcoins, or $76,400, the Sun reported.
Hard Luck Baltimore
In March 2018, Baltimore was hit by a ransomware attack that crippled the city's IT infrastructure. That attack affected the computer-assisted dispatch system, which is used to support and direct 911 and other emergency calls, Reuters reports.
The 2018 attack against Baltimore came a few weeks after Atlanta's municipal government was hit by its own ransomware attack, which federal authorities would eventually link to the SamSam variant (see: Atlanta After Ransomware Attack: Please Restart Your PC).
It's not clear what ransomware struck Baltimore last year. When city officials spoke on Wednesday, they did not address questions about why the city had been struck twice within such a short period of time (see: Crypto-Locking Malware Hits Atlanta, Baltimore, Boeing).