Baltimore Encoded: RobbinHood

For the last month, the city of Baltimore has been dealing with a ransomware variant called Robbinhood. The ransomware author is asking for 100,000 dollars to decrypt the city’s files. As has been explained previously in my blog, Ransomware is a type of malware that infects systems and encrypts each file on the infected endpoint. Once it has completed the encryption process, a ransom note is left to instruct the user how to decrypt their files. If a company has not followed proper security controls and created offline backups of critical systems, all of their information could have been lost if they do not pay the ransom. Unfortunately, many targets of this type of malware have learned this the hard way.

Baltimore is not the first city to deal with this type of attack. Atlanta had a similar incident happen by the Iranian malware Sam Sam ransomware in 2018. The Baltimore attack does not appear to be from the Iranian Sam Sam group.

A recent media article insisted that Robbinhood made use of the NSA developed exploit Eternal Blue that was used in the Stuxnet attack against Iran, and to some is considered the first Cyber Weapon (More to come on this in a later blog post). Brian Krebs of “Krebs on Security” has reported that it is not likely that it uses the Eternal Blue exploit (Krebs, 2019). Because of the Media report that this exploit was used, some have argued that this attack is the fault of the NSA and the Federal Government is held responsible for the attack.

I’m going to stray away from the explanation of the ransomware for a second because I think something needs to be discussed. The eternal blue exploit was leaked by the Shadow Brokers in 2017, from there the WannaCry, and NotPetya cyberattacks were developed, and a subsequent patch was released. While the exploit was developed by discovering a vulnerability in the SMB protocol and held by the NSA for use did create the opportunity for these types of attacks to occur, it is in no way the NSA’s responsibility that a municipality would allow their systems to go unpatched from a very well-known vulnerability. We can argue the ethicality of the NSA stockpiling exploits, but that does not change the fact that Baltimore did not patch a well-known vulnerability. –End rant

Bleeping computer has a great article that I would suggest everyone if they are interested in how this ransomware works. The article is located here

Essentially the tl;dr is that Robbinhood disconnects network shares upon execution and then is likely pushed through a domain controller. The ransomware looks for an RSA encryption key in the C:\\windows\temp directory. If the key is present, it will then shut off services, such as antivirus, database, mail server, and so forth that would prevent encryption. During its preparation stage, it clears shadow copies, event logs, and disables automatic repair. Once preparation is complete, the malware begins encrypting the files on the endpoint. Once complete a message appears that explains to the user how to decrypt their data. The surprising thing to me is that the message explains Asymmetric encryption to the user.

Brian Krebs reports that this is vanilla ransomware; it is not highly sophisticated and does not seem to use any lateral movement (Krebs, 2019). Something interesting in this attack is that the code uses a text string that says Valery, which shows similarity with the GanCrab ransomware strain that the developers had just announced they had retired (Krebs, 2019). This would make me think that either one of the developers from that attack decided to start their new strain or someone is trying to frame the GanCrab developers. Krebs and other security researchers believe that the author may be marketing their malware (Krebs, 2019). If this is a marketing campaign, which would make sense with the tweets targeted toward the Mayor of Baltimore, this could mean a bigger target, or more targets are possibly next by other adversaries who will rent it out. Municipalities are known for not paying the ransoms, so it would not have been a great target except for the marketing purposes. This attack is expected to cost Baltimore, an already fledgling financially city, 18 million dollars in recovery and lost revenues.

Works Cited:

Abrams, L. (2019). A closer look at the Robbinhood Ransomware. Retrieved on June 5, 2019 from,

Krebs, B. (2019). Report No Eternal blue Exploit Found in Baltimore City Ransomware. Retrieved on June 5, 2019, from

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s