It has been over a year since ransomware-as-a-service RobbinHood appeared in a major attack against the city government of Baltimore. While initially described as amateur and unsophisticated among cybersecurity pros, the ransomware has since changed in ways that make it a threat to watch.
James Jackson, an independent researcher who aided a global shipping firm in the aftermath of NotPetya and currently works for a multinational intelligence and consulting business, has been analyzing RobbinHood to trace its evolution. He discovered 19 RobbinHood binaries and linked six to confirmed attacks. The research led him to identify four distinct versions of the RobbinHood ransomware, each of which demonstrates growth in functionality and maturity.
"In a very short period of time, [RobbinHood] has rapidly advanced," Jackson says. "The fact they've escalated and refined their attack in a very short period of time, and developed an exploit with a malicious driver, indicates expertise and gearing up."
Version 0.1 of RobbinHood, used to target the cities of Baltimore and Greenville, is considered the most simplistic and unsophisticated. It functions to stop computer services that could stop it from running, encrypt local files, and deploy a ransom note demanding payment in exchange for the files' return. It's noisy and noticeable, Jackson says, and the attackers only implemented crude means from preventing security researchers from analyzing the malware in a sandbox.
"The overarching theme from version one of the malware is that it was incredibly simplistic and it was fraught with problems and errors," he explains. Despite the damage it caused Baltimore, early analysis of RobbinHood revealed "juvenile na ..
Support the originator by clicking the read the rest link below.
