RobbinHood Ransomware Assaulting Cities and Businesses

Ransomware is perhaps one of the most tossed around buzzwords today. In reality, ransomware is simply the word used to describe malicious software that scrambles the data of a system and renders it completely inaccessible until the ransom is paid. In recent years, the ransomware variant titled ‘RobbinHood’ has seen a major uptick in infecting public municipalities.

 It is worthy of a spotlight because unlike traditional ransomware strains, it does not require user intervention to click on a link or open a macro embedded PDF. 

RobbinHood gained fame in 2019 when it was used to attack the city of Baltimore. Ultimately shutting down their bill pay systems such as the water, permit, and property transaction software. In this case, the threat actors requested 13 bitcoins (~$76,280) to regain access to all of the systems. However, they also took into consideration this might be too demanding of an amount and so they were also willing to accept 3 bitcoins (~$17,600) per system. 

Unfortunately for the hackers, Baltimore opted not to pay any ransomware under the notion to avoid negotiating or rewarding criminal behavior. Additionally, experts in the FBI and Secret Service warned Baltimore that paying the ransom could lead to more damage. Nonetheless, it currently estimated that the lost revenue and cost to purchase new hardware have cost the city Baltimore $18 million to remediate (godspeed to the teams who re-authenticated 10,000 Baltimore personnel, re-imaged systems, etc.). In lieu of avoiding a similar financial loss, several cities who were hit by RobbinHood have chosen to pay the RobbinHood ransomware. This blog, however, is not about discussing the conundrum of ransomware payment but aims to uncover what sets RobbinHood ransomware apart from its predecessors. 

First off, researchers found RobbinHood exploited vulnerabilities in the Remote Desktop Protocol to carry out the delivery phase of the ransomware attack. In this initial step, threat actors targeted low hanging fruit organizations who were not patched, quickly weeding out protected organizations. Next, RobbinHood has had a high infection rate because it used legitimate hardware drivers to evade detection. The drivers themselves are not ransomware but merely act as a vehicle to introduce it.

The term ‘BYOB,’ or bring your own bug was a term coined by the security company SophosLabs to illustrate how RobbinHood infects. The infection technique uses a vulnerable driver update from Gigabyte, a PC manufacturer and distributor, who commonly release updates. Windows mistakenly accepts this Gigabyte driver as a “patch” because it is digitally signed by the motherboard manufacture and ostensibly should be safe. After Windows loads the driver, RobbinHood exploits the CVE 2018-19320, which allows the signature of the deprecated kernel driver to still be valid. Thus, it grants an adversary full control of a system. 

The poorly signed Gigabyte driver just so happens to contain a privilege escalation vulnerability that allows bad actors to stop services such as anti-virus products. It is during this step the attacker can finally see the light at the end of the RobbinHood tunnel. The threat actor will shut down security products to freely perform the original objective without being detected, resulting in a system infection. SophosLab researchers are predicting we will see this CVE increasingly replicated as more Gigabyte drivers become deprecated and their signatures remain valid.

The time-saving capabilities are what make the RobbinHood variant a cybercriminal favorite. Since it uses the “bring your own bug’ tactic, adversaries no longer have to identify shortcuts into a system or how to tamper security services. Unfortunately, the uptick in untraceable crypto-currency and dependency on information systems has contributed to the increased proliferation of ransomware attacks like RobbinHood. Additionally, government municipalities, healthcare, and small to medium-sized organizations commonly either do not have the capital to protect systems or do not spend it properly. This demonstrates the conflict that ransomware victims encounter: open a smaller part of your wallet to get critical systems back, or refuse — potentially costing thousands more overall.


What is your organization doing to mitigate and deter ransomware attacks? Call us and schedule a free session to discuss how you can effectively allocate funding to cybersecurity and prevent ransomware before it is too late.

About the Author

Written by Haidon Storro

Cybersecurity Research & Content Manager, Silent Sector -- Haidon Storro is a Cyber Security Analyst for CVS Health. She has her BS in IT Cyber Security as well as security certifications like CompTIA Security+ and ISC2. While Haidon is newer to the security community, she has dedicated herself to learning as much as she can through internships, online courses, and conventions like DefCon. In her free time, she enjoys reading about new advancements in technology, going to security meetups and participating in cyber defense competitions. One of Haidon’s goals is to make the connected world safer by bridging the human aspect with technology.