Enlarge / Baltimore Metropolis Corridor, the place the ransomware battle continues.Alex Wroblewski/Getty Photographs
Over the previous few weeks, a Twitter account that has since been confirmed by researchers to be that of the operator of the ransomware that took down Baltimore Metropolis’s networks Might four has posted taunts of Baltimore Metropolis officers and paperwork demonstrating that at the least some information was stolen from a metropolis server. These paperwork have been posted in response to interactions I had with the ransomware operator in an try to verify that the account was not a prank.
Of their final put up earlier than the account was suspended by Twitter yesterday, the operator of the Robbinhood account (@robihkjn) answered my query, “Hey, so did you employ EternalBlue or not?”:
completely not my buddy
The account was shut down after its operator posted a profanity and racist-tinged remaining warning to Baltimore Metropolis Mayor Bernard “Jack” Younger that he had till June 7 to pay for keys to decrypt recordsdata on metropolis computer systems. “In 7 Jun 2019 that is your useless line,” the put up said. “We’ll take away all of issues we have had about your metropolis and you may inform different [expletives] that can assist you for getting again… That is remaining useless line.” The identical messages have been posted to the Internet “panel” related to the Baltimore ransomware, in line with Joe Stewart, impartial safety marketing consultant engaged on behalf of the cloud safety agency Armor, and Eric Sifford, safety researcher with Armor’s Menace Resistance Unit (TRU).
Proof of compromise
A doc posted by the Baltimore ransomware operator, with private information redacted, reveals it was faxed to town on Might three.
The Tor Internet “pane” used at the side of the Baltimore Robbinhood ransomware assault.
A screenshot of the Tor-based ransomware web site tied to the Baltimore ransomware assault, exhibiting the hyperlink to the Robbinhood Twitter account.
The Robbinhood account’s preliminary put up included extraordinarily low-resolution photos to show that the person or group behind the account had entry to Baltimore Metropolis’s community previous to the ransomware being triggered. That picture included passwords to a shared community listing to be used in putting in an older model of Symantec Endpoint Safety, a picture of a faxed subpoena for a lawsuit towards the mayor’s workplace, and what seems to be lists of consumer names and hashed passwords for numerous metropolis worker accounts.
However the age of the paperwork and their decision led some (together with me) to query their authenticity. I replied to the put up, stating these doubts.
On Might 28, the individual or individuals behind the Robbinhood account responded by posting one other file to a file sharing web site and sharing the hyperlink. That file, downloaded by researchers at Armor, was a PDF of a faxed doc associated to a different lawsuit towards town, dated Might three. The PDF’s metadata indicated that it was created by a networked Xerox fax machine on Baltimore Metropolis’s community. One other doc posted on June three was a canopy sheet from a fax relating to a workman’s compensation declare despatched to the mayor’s workplace the week earlier than.
The ultimate affirmation that the Twitter account was linked to the ransomware assault was offered when the operators posted a hyperlink to the Twitter account together with the identical remaining warning to the Tor-based Internet panel arrange for communications with town, proven above. (The “you” within the dialog is both a metropolis worker or safety researcher.)
Ransomware samples analyzed by researchers and by Ars do not supply any hints of how they have been distributed. The ransomware pattern from Baltimore is nearly an identical to earlier variations of Robbinhood obtained by researchers—a 2.9MB Home windows executable written within the Go language and compiled as a Home windows executable—doesn’t embody any code used to hunt different weak machines, and it fails to run if a public key hasn’t been deposited in the precise location on the focused pc. Whereas the ransomware makes use of RSA encryption, it consists of capabilities from all the Go cryptography library. Artifacts inside the code present it was compiled from supply by somebody with a Home windows consumer identify of “valery.”
Honor amongst thieves
The assertion by Robbinhood’s operator that EternalBlue was not used to unfold the ransomware inside Baltimore Metropolis’s networks is clearly not laborious proof that the NSA exploit uncovered by Shadow Brokers wasn’t used within the assault. There are a variety of causes the attacker would lie about it—together with boosting their advertising message. Stewart and Sifford mentioned that they imagine the attacker is probably going utilizing the assault on Baltimore as a solution to get publicity for providing Robbinhood as a ransomware-as-a-service providing, permitting others to lease the ransomware to extort others. Revealing the exploits used to unfold the ransomware can be, in that case, a horrible enterprise transfer.
Making such an enormous publicity play over a ransomware goal is uncommon in such assaults, as is posting proof of compromised recordsdata, as a result of that’s typically dangerous for enterprise. Organizations that pay ransomware calls for often achieve this to keep away from publicity and achieve this below the belief that none of their information was stolen. However authorities targets are much less prone to pay, and searching for publicity could also be a solution to construct political strain on the goal to pay up.
There’s one other potential clarification of the conduct of the Robbinhood attacker: they might have been in Baltimore’s community for a while and launched the ransomware solely after extracting no matter worth they might from community entry. In that case, there isn’t any telling what different information was taken from town’s community.