Back in May, the city of Baltimore was brought to a standstill. All of the city hall’s systems were infected with a new ransomware variant called RobbinHood. The cyberattacker demanded a 13 bitcoin ($76,000; €68.9612) ransom to decrypt the systems. This same variant was first seen in an attack on the city of Greenville, North Carolina in April.

RobbinHood uses its infamy

These two incidents made headlines when they were made public, mainly due to the scale and severity of the attacks. Now the attackers behind RobbinHood seem to be using this fact for their own gain. Joakim Kennedy, a cybersecurity researcher, has discovered a new variant of the malware. In this version, the ransom note suggests that the victim Google Baltimore and Greenville to understand how serious their situation is, and to remove all hope of decrypting the affected files for free.

The note also lets the victim know that the attacker has been on their network for some time, investigating its weak points, and that they must pay the ransom within four days. “…if you don’t pay in the specified duration, the price increases $10,000 each day after that period… Don’t call FBI [sic] or other security organizations.”

As well as boasting about their past success, the attackers also highlight the fact that there is no public decryption tool to recover the affected files; this means that it is impossible to recover them without the attackers’ private key.

RobbinHood ransom note. Source Bleeping Computer

The damage caused by a RobbinHood attack

When we take a look at the damage that a RobbinHood attack can cause, it is not surprising that the incident in Baltimore got so much attention, or that the attackers want to use the incident to try to get more money. Although the ransom demanded was $76,000, the city ended up spending $4.6 million on recovering all the data on the affected computers, and the systems were out of service for nearly a month.

However, the city hall estimates that, by the end of the year, it will have spent $5.4 million more, bringing the total to $10 million. And this figure doesn’t include potential loss of revenue due to non-payment of fines, taxes and other fees when the systems were out of action. Other sources cite an even higher figure:: 18 million dollars.

Learn from Baltimore’s mistakes

While it is true that RobbinHood caused a lot of damage in the city’s systems, it is also true that the city’s actions, both before and after the incident, have been criticized and contributed to the increased costs. The first criticism was the about the fact that the city—unlike Atlanta, which suffered a ransomware attack in 2018—didn’t have any insurance to cover the costs of a cyberattack, in spite of warnings from the head of security. Nor did the city have a cybersecurity training plan for its employees, and, although backups had been made, it is unclear whether they were enough to be able to recover the system. What’s more, the mayor refused to confirm the existence of a disaster recovery plan to help deal with ransomware attacks.

Avoid the costs of ransomware

Unfortunately, the attackers’ claims are true: for the time being, there is no public decryption key for RobbinHood. However, this doesn’t mean that paying the ransom is the solution to a ransomware attack In fact, cybersecurity experts agree that paying the ransom only adds to the problem, encouraging and funding cybercriminals to keep carrying out attacks, and the funds are used to carry out more criminal activities. At Panda Security, we agree with this stance, and also remind you that paying the ransom in no way guarantees that you’ll recover your data.

One of the most important protection measures is to create backups in order to return to normality as soon as possible. It is also a very good idea to have an incident response plan in order to know how to act if your company is affected a threat of this kind.

Along with this advice, it is worth remembering that ransomware has a wide range of TTPs to get onto organizations’ IT systems. This is why it is vital to know exactly what is happening on the system at all times, thus reducing the attack surface. One of the principals on which Panda Adaptive Defense‘s advanced cybersecurity is based is the classification of 100% of processes. This way, your IT system can automatically adapt to the evolution of attacks. It also provides total visibility.

When the Baltimore incident began, many news outlets reported that the ransomware had got onto the systems via the vulnerability EternalBlue, although this was later refuted by some researchers. Whatever the cause was, the fact remains that many ransomware attacks leverage vulnerabilities to access corporate networks. To respond to this kind of incident, Panda Adaptive Defense has an additional module, Panda Patch Management. It monitors and prioritizes updates so that you can be sure to always have the best protection against vulnerabilities. This way, you’ll be able to manage the patches needed for your company, without having to invest more time or resources in it. And you’ll complete your protection system in order to shield your assets against attack trends like RobbinHood.