Baltimore Chief Information Officer confirmed that the malware attack was “the very aggressive RobbinHood ransomware” and that the FBI had identified it as a “fairly new variant of the malware”. Several new variants of RobbinHood have been emerging over the past month.
This malware appears to target only files on a single system and does not spread through network shares. “It is believed to be spread directly to the individual machines via psexec and/or domain controller compromise”. The ransomware itself does not have any network spreading capabilities and is meant to be deployed for each device individually.”
That would mean that the attacker would need to already have gained administrative-level access to a system on the network “due to the way the ransomware interacts with C:\Windows\Temp directory.
In addition to requiring execution on each individually targeted machine, RobbinHood also requires that a public RSA key already be present on the targeted computer in order to begin encryption of the files. “That means that the attacker likely deploys it in multiple steps, from obtaining access to the network in question, moving laterally to obtain administrative privileges for a domain controller or via psexec, deploy and save public RSA key and ransomware on each machine and then execute it”.
Before it begins encryption, RobbinHood malware shuts down all connections to shared network directories with a net use * /DELETE /Y command and then runs through 181 Windows service shutdown commands—including the disabling of multiple malware-protection tools, backup agents, and email, database, and Internet Information Server (IIS) administrative services. That string of commands—which starts with an attempt to shut down Kaspersky’s AVP agent—would create a lot of noise on any management system monitoring Windows systems’ event logs.