Robbinhood Ransomware left city government crippled for weeks
The City of Baltimore remains paralyzed after a ransomware has hit 10,000’s of the city government’s computers holding their data hostage for the past couple of weeks now. The ransomware dubbed as Robbinhood has also attacked the City of Greenville in North Carolina just a month ago. Baltimore’s information technology office has said that the city was using computers that were out of date and with no back up, calling them “a natural target for hackers and a path for more attacks in the system.”
It was unclear how this ransomware arrives to a victim’s machine, but upon execution it spawns a number of cmd.exe instances to execute a plethora of commands – mostly to disable system services which include Antivirus, automatic updates, networking services, email services, removing mapped drives, backup and replication services just to name a few.
The ransomware drops a ransom note on the %Desktop% detailing how to pay and to reach out to the ransomware authors through the Onion Tor website.
With the recent price surge of Bitcoins, the attackers are asking for a steep ransom of 3BTC per each infected computer or 7BTC for all computers which can amount to over $57,000.
This ransomware is written in Go programming language (GoLang) with evidence of some references to its source repositories or workspace structures in its strings.
SonicWALL Capture Labs provides protection against this threat via the following signatures:
- GAV: Robinhood.RSM (Trojan)
- GAV: Robinhood.RSM_2 (Trojan)
This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.