Incident Of The Week: Baltimore City Government Hit with “RobbinHood” Ransomware

The city’s 911 system was also hacked in 2018

Esther Shein

Nearly all non-emergency servers in the city of Baltimore’s government departments remained offline as of this morning following a ransomware attack on Tuesday. Critical public safety systems including 911, 311, emergency medical services and the fire department were not affected by the attack, The Hacker News reported.

This is the second ransomware attack to hit the city in just over a year, prompting officials to shut down a majority of servers as a precaution.

“City employees are working diligently to determine the source and extent of the infection,” Baltimore Mayor Bernard C. Jack Young tweeted earlier today. Previously, Young tweeted that there was “no evidence that any personal data has left the system.”

Ransomware Identified as New RobbinHood Variant

Frank Johnson, Baltimore’s CIO, confirmed in a press conference today that the malware was "the very aggressive RobbinHood ransomware" and that the FBI had identified it as a "fairly new variant" of the malware, according to Ars Technica. This new variant of RobbinHood began showing up in the past month.

The malware appears to target only files on a single system and does not spread through network shares, security researcher Vitali Kremez, who recently reverse-engineered a sample of RobbinHood, told Ars.

See Related: "Ransomware Cripples Atlanta City Government"

“It is believed to be spread directly to the individual machines via psexec and/or domain controller compromise,” Kremez said. “The reasoning behind it is that the ransomware itself does not have any network spreading capabilities and is meant to be deployed for each machine individually,” the site quoted Kremez as saying.

In that scenario, the attacker would have had to already have gained administrative-level access to a system on the network because of “the way the ransomware interacts with C:\Windows\Temp directory,” Kremez told Ars.

Second Attack on Baltimore’s Network

In March 2018, Baltimore’s 911 system was hit with ransomware while maintenance was being conducted on the city’s networks, briefly leaving gaps in a firewall that had just been installed four hours before, the site reported. It took city personnel more than 15 hours to locate, isolate and take the affected server offline, according to the Baltimore Brew.

At today’s press conference, Young said he wasn’t sure how long the city’s computer systems would be offline, Ars reported. He stressed that the IT department has a backup system but said that officials could not just restore the systems because they don’t know how far back the virus goes.

See Related: "4 Ways To Defend The Enterprise From Nation-State Attacks"

In the meantime, city employees have been asked to do things manually, Young said.
While the amount the attackers have demanded as a ransom wasn’t specified, Democratic Mayoral spokesperson Lester Davis told the Brew that the city would not pay any ransom.

Baltimore is not only major city to be hit with a ransomware attack, nor is it the first. In 2018, Atlanta was attacked by the SamSam ransomware, causing disruptions to government operations.