By now, the ransomware attack against the city of Baltimore has been widely publicized. This attack has been credited to the group responsible for generating the RobbinHood Ransomware package. The attack was first discovered at the beginning of May, and until recently the city was still struggling with restoring affected services. Earlier this spring the city’s 911 service was also impacted by a ransomware attack.
What we know about RobbinHood
Initially it was thought that the RobbinHood ransomware utilized the EternalBlue vulnerability associated with the WannaCry attack (2017). However, after reviewing the code, malware researchers now agree that this is not the case. It’s likely that RobbinHood follows a more common attack scenario. Many attackers now initially drop malware such as Emotet with backdoors like Trickbot that gather information about the data and servers on the victim network, and they then target specific servers and systems that look most valuable. Emotet can also harvest credentials and install other malware onto compromised systems. There’s no simple "trick" for this. It is a multi-headed attack. The attacker needs to have gained access to the network and then be able to elevate privileges. Like most ransomware today, RobbinHood tries to disable security applications and backup systems. It tries to disconnect network drives and delete certain extensions in network drives and network shares that link to backups. RobbinHood also appears to be setup as a ransomware-as-a-service model. The configuration uses an embedded template and can be configured for specific targets with basic input entered into a control panel.
How can organizations battle these high-risk Ransomware attacks?
Similar to other aggressive, high-risk ransomware packages (e.g. GrandCrab), defending against RobbinHood requires a multi-layered approach to security. Incident Response and Disaster Recovery plans that are tested and mature are also now becoming critical tools in the organization’s cyber-defense toolbox. Business & Cyber Resilience is an emerging organizational initiative that attempts to tie Risk, Security, Response, Recovery, and Strategic Planning together to minimize the impact of unexpected events on an organization.
Here are five simple steps that can be added easily to a cyber-attack defense strategy:
Finally, on the subject of major ransomware attacks and scary exploits, it’s a good time to remind readers about the importance of applying the latest security updates from Microsoft. In response to the WannaCry attack, Microsoft took the unusual step of releasing security updates for unsupported but still widely-used Windows operating systems like XP and Windows 2003. Microsoft did this to head off another WannaCry-like outbreak from mass-exploitation of a newly discovered flaw that Redmond called imminently “wormable”.
That vulnerability exists in Windows XP, Windows 2003, Windows 7, Windows Server 2008 R2, and Windows Server 2008. Microsoft published a reminder to update your systems post on May 30th of 2019, saying that while it hasn’t seen any widespread exploitation of the flaw yet, it took about two months after Microsoft released a fix for the EternalBlue exploit in March of 2017 for WannaCry to surface. Contact us to learn more about ransomware, the damage it can cause to your systems, and the steps you can take to mitigate this risk!
Some recent Ransomware Attacks: