RobbinHood Ransomware Attack Brings Down Baltimore

Since May 7, Baltimore has been dealing with a ransomware attack that brought many city systems to a standstill. Hackers seized parts of the computer systems that run Baltimore’s government. A classic ransomware assault, the attack used malware known as “RobbinHood”. City workers’ screens suddenly locked, and a message in broken English demanded over $100,000 in Bitcoin to free their files. Obtained by The Baltimore Sun, it said, “We’ve been watching you for days. We won’t talk more, all we know is MONEY! Hurry up!”

The city immediately notified the F.B.I. and took systems offline to keep the ransomware from spreading. Unfortunately, by then, it had already affected voice mail, email, a parking fines database, real estate sales, and a system used to pay water bills, property taxes, and vehicle citations. It could take months of work to get the disrupted technology back online.

Experts don’t believe that hackers sought out Baltimore specifically. In fact, Lawrence Abrams, the creator, and owner of Bleeping Computer, a technology news site said: “I think it was purely an opportunistic attack”.

In April, officials in Greenville, N.C. discovered they were also victims of RobbinHood. The city declined to pay the ransom, and the attack remains under investigation by the F.B.I.

Controversy Over Blame

RobbinHood is a relatively new ransomware variant. Now a controversial debate has begun over who is to blame as accusations have arisen that the National Security Agency, or N.S.A., developed a vital component of the malware.

It seems that in 2017, the N.S.A. lost control of the hacking tool EternalBlue. State hackers in North Korea, Russia and, more recently, China have all picked up this tool. The still-unidentified group called the Shadow Brokers are the ones who released it online. Thomas Rid, a cybersecurity expert at Johns Hopkins University, called the Shadow Brokers episode “the most destructive and costly N.S.A. breach in history”. He says it’s more damaging than the better-known leak in 2013 from Edward Snowden, the former N.S.A. contractor. Additionally, Security experts say EternalBlue attacks have reached a high, and cybercriminals are zeroing in on vulnerable American towns and cities, paralyzing local governments and driving up costs.

The tool exploits a vulnerability in unpatched software that allows hackers to spread their malware faster and farther than they otherwise could. The hackers in the Baltimore case paired RobbinHood with EternalBlue, which allowed the malware to circulate more efficiently. The N.S.A. denies any responsibility. Rob Joyce, N.S.A. Senior Adviser, suggested that organizations have had two years to update their systems to protect against EternalBlue, and the N.S.A. should not be responsible for any of those hacks in 2019.

Sextortion Scams & Cyber Blackmail on the Rise

Sextortion scams are on the rise, and cyber criminals are using our discomfort in talking about this subject to continue exploiting us. Because the topic is a bit embarrassing for some, communication and awareness of the scam are sorely lacking. This episode of Sileo On Security is meant to put an end to that.  

Sextortion scams, simply put, are a type of blackmail. In a mass-generated email that feels like someone is watching you (they aren’t), the (s)extortionist most often claims to have photos or videos of you, the victim, in embarrassing situations such as watching adult entertainment on your computer. To put you in a panicked state where you react before thinking, the criminal threatens to send the compromising materials to your entire email address book if you don’t pay a ransom within a short time period. Sex + Extortion = Sextortion. 

At this point, the scammer can take the sextortion scam in several directions. They can try to get you to make an anonymous, untraceable and completely unrecoverable Bitcoin or cryptocurrency payment into their digital wallet. Or, they might request access to your device to help you clean the RAT off of your machine.

Hang on, what’s does a RAT have to do with sextortion scams?

In a new twist on old Sextortion scams, hackers claim to have downloaded a Remote Access Trojan (RAT) onto your system, allowing them to take complete control of the device. With this “control”, they threaten to send out compromised files (e.g., videos of you watching pornography) directly from your computer, making it look like you have sent the embarrassing materials in person.

To increase the credibility of their claims and your level of panic, they often reveal a password of yours within the email that they have supposedly “hacked in the process”. This is completely freaky and makes you feel grossly uncomfortable, like you’ve done something wrong – which is EXACTLY what they want. While the password they reveal may be a bit old, it’s often a password you once used, which gives credence to their legitimacy, putting you in a mindset to pay their ransom demands or otherwise follow their instructions.

You should know that the password they are using was most likely part of an earlier data breach that you were involved with. The password might have been part of the LinkedIn, Anthem, Equifax, Yahoo or other breach from years past. But the result is the same – you feel like you’ve totally been hacked.

To make matters worse and ratchet up the believability of sextortion scams, the “From:” field in the sextortion email has your name and email address in it, making it look like the hacker has in fact gained access into your email program and sent you an email through your own account. This is a simple technique called spoofing, and reinforces suspicions that your machine has in fact been taken over.

Dealing with Sextortion Scams without Losing Your Pants

Here’s what you need to know. Except in very rare cases, everything about sextortion is a complete hoax, including the fact that they have photos or videos on you, that they’ve successfully placed a RAT on your machine or that they can read and record your every keystroke. This is simply a more effective type of scam known as spear phishing, which just means that they are using previously obtained information (like your breached password) to gain your trust, to target you like a spear targeting a fish, before they use it against you.

If you’ve received the email at work, report it to your IT department and follow your organization’s procedures for scam emails. Everyone else should do the following:

  • Be suspicious of all emails, calls, texts or conversations that use fear or embarrassment to get you to act. If you have been in one of my keynote speeches, you’ve already been trained on a B.S. Reflex – a natural tendency to Be Skeptical before you act.
  • Never open any attachments or click on any links that you haven’t first verified as legitimate. When in doubt, delete the email and never respond to it.
  • Never provide personal information unless you can confirm the legitimate source of the request and safe transmission of the data.
  • Turn off and cover your webcam when not in use. I simply place a sticky note over mine and take it off when I am using it.
  • Finally, make sure that any passwords revealed in the email aren’t used on ANY of your online accounts. This is an excellent chance to update any weak passwords in password management software like 1Password, Dashlane or Lastpass.

And most importantly, don’t be ashamed. Cyber criminals are mass mailing sextortion schemes to hundreds of millions of people, playing on one of our greatest fears – that of being publicly embarrassed.

Take a minute to educate someone you care about on email extortion and then check back with Sileo On Security for updates on this and other scams. It’s my goal in life to never let the enemy win.

John Sileo is the award winning author of the newly released mini-book Your Data is Showing: 12 Privacy Tools for the Surveillance Economy. His greatest enjoyment comes from energizing keynote audiences to care about cybersecurity, privacy and cutting-edge tools of information weaponization. Watch him on 60-Minutes, Anderson Cooper, Rachael Ray or on stage. Contact him directly on 303.777.3221.