Robbinhood Ransomware Gang Still Operational

Robbinhood Ransomware Gang Still Operational

Blog

Robbinhood Ransomware Gang Still Operational

Robbinhood Ransomware Gang

Robbinhood History

One of the most notorious ransomware gangs from 2019 and 2020 is known as Robbinhood (with 2 B’s). They made a name for themselves by hacking the City of Greenville, NC and the City of Baltimore, MD, causing operational delays and millions of dollars in losses. Since the spring of 2020, there have been almost zero mentions of the group in the cybersecurity community, possibly indicating that the group had gone dark.

Expected Threat Actor

PacketWatch recently responded to an incident where the client’s computers were encrypted with what appeared to be Robbinhood ransomware. After our investigation, PacketWatch can say with a high degree of confidence that Robbinhood was the threat actor behind the ransomware attack. The tactics, techniques, and procedures (TTPs) the group used throughout the attack are almost identical to those that were documented in attacks three years ago.

Just like documented infections in 2019 and 2020, Robbinhood drops a group of files that perform various tasks of the attack chain:

  • Blackhole.exe
  • steel.exe
  • Runtime_Service.exe
  • robnr.exe
  • BlackholeCleaner.exe
  • NewBoss4.exe
  • Winlogon.exe

Initial Infection & Privilege Escalation

Blackhole.exe is the initial dropper file, which copies the rest of the above-mentioned files to the hard drive1. Blackhole.exe then executes steel.exe. This file can disable processes such as antivirus or antimalware2. To gain access necessary to complete this task, it deploys another executable robnr.exe, which in turn drops gdrv.sys, a legitimate and digitally signed kernel driver from Gigabyte. This specific kernel driver is vulnerable to CVE-2018-19320, which allows the attacker to take complete control of the system.
Windows Temp
Figure 1: Malicious executables in Windows directory
Gigabyte Driver
Figure 2: Vulnerable Gigabyte driver installed as a service

Second Malicious Kernel-space Driver

With this level of control over the system, a second, malicious kernel-space driver rbnl.sys is run that can delete locked files and can kill processes.

Kernel Driver
Figure 3: Malicious kernel driver installed as a service

Lateral Movement

Like many other threat actors today, Robbinhood abuses AnyDesk (a legitimate IT tool for remote access) to move laterally between systems.
Program Data
Figure 4: Evidence of AnyDesk used for lateral movement

Ransomware Execution

The ransomware executable is also dropped in C:\Windows\Temp by newboss4.exe and is named winlogon.exe3. The threat actor added this to a service titled WinNTRPC64.
New Boss
Figure 5: NewBoss4 executable in Windows update directory
Ransomware
Figure 6: Ransomware executable installed as a service

Ransomware Note

The ransom note has not deviated much from its original form. It continues to use poor English and includes taunts to the victim, such as “Just pay the ransomware and end the suffering then get better cybersecurity.” It also references previous known attacks from the group (Baltimore and Greenville cities).
Ransom Note

Figure 7: Ransom note

Cleanup

Robbinhood does a thorough job of clearing its tracks and removing event logs. To do this, it leverages blackholecleaner.exe.

Black Hole Cleaner

Figure 8: BlackHoleCleaner executable process

How to protect your organization

There are several steps organizations can take to help protect against Robbinhood and other forms of ransomware:

  1. Deploy Endpoint Detection and Response (EDR) across endpoints and servers
    • Many solutions have detection and prevention capabilities that will stop ransomware in its tracks
  2. Monitor network traffic for suspicious activity
    • Solutions such as PacketWatch provide full visibility into network traffic, allowing for the detection of anomalous and malicious traffic
  3. Implement and maintain data backups
    • Back up data regularly to offline/off-site storage
    • Test these backups regularly
  4. Implement multi-factor authentication (MFA) across the environment
  5. Regularly patch software and operating systems to the latest available versions
  6. Limit port and service exposure to the internet to reduce the attack surface

Contact Us for more information on how to protect your organization from ransomware threats like Robbinhood.

Happy Anniversary, Still WannaCry.

Happy Anniversary, Still WannaCry.

Blog

Happy Anniversary, Still WannaCry.

Happy Anniversary, Still WannaCry.

On Friday afternoon, May 12th, 2017, we started to hear about WannaCry ransomware which would ultimately impact over 250,000 computers worldwide. WannaCry, Eternal Blue, Shadow Brokers, and Server Message Block (SMB) exploits seem so long ago. What have we learned in those 5 years? Not enough, apparently.

Although the patch that would protect against WannaCry was issued by Microsoft on March 14th of that same year, it seems many organizations didn’t get around to installing it in time. Exploiting an SMB vulnerability efficiently abused by the NSA for years and then leaked to the public by the Shadow Brokers certainly caught people off guard. Ransomware has only accelerated from there. Some say we may have reached “peak ransomware” last year.

All these years later, organizations are still struggling to patch vulnerabilities before exploits take advantage of them. Or, unfortunately, they patch after the exploit has been utilized and never checked to see. You’re lucky to have one day to patch a critical vulnerability nowadays.  

Over the past 5 years, businesses have purchased more security tools and bought cyber insurance policies in the hopes of mitigating costs associated with their accumulated technical debt. Gone is the thought that some “black box” artificial intelligence (AI) machine can solve all of your security problems without you having to do anything.

Cyber insurers have lost their rears and are pushing back — jacking premiums, cutting coverages, and low-balling recovery efforts. Insurers also started asking more questions in a vain attempt to better underwrite risks. Too late.

Even the SEC has stepped up its efforts to force companies to better disclose their cyber practices and risks to investors. Upstream supply chain partners are asking what you do to mitigate risks. It’s not just “are you doing something” any longer. It’s now “Are you doing the right things?”

So, what are the right things?

  1. You need to practice good cyber hygiene; identify and patch vulnerabilities; have a strong, resilient infrastructure; verified security controls; and well-rehearsed IR plans.
  2. You need an experienced security team with visibility over the network and hosts (not just hosts). Logs are great but come after the fact.
  3. You need battle-hardened humans that actually hunt for badness in your network before it gets you. Not some automated detection tool whose “check-engine light” goes on when the oil is low. You need real people looking for signs that other real people are exploiting weaknesses in your systems.
  4. You need to test your controls and procedures to see how effective they actually are.
With all due respect to your IT team, they just won’t measure up against an adversary funded by a foreign government.

  • What does targeted adversary activity look like in your environment?
  • Has your team ever experienced that?

Businesspeople are sick of the slick marketing hype from security vendors making exaggerated promises. Organizations need real solutions from seriously experienced people.

I hope that by the next anniversary of WannaCry, more people will have implemented the elements described above with internal resources or with a team like ours—hunting every day to identify and close security gaps.

If you need help, we are here and ready.

PacketWatch Cybersecurity Expertise used in Colonial Pipeline Ransomware Story

PacketWatch Cybersecurity Expertise used in Colonial Pipeline Ransomware Story

Blog | News

PacketWatch Cybersecurity Expertise used in Colonial Pipeline Ransomware Story

Investigative journalist Rich McHugh included PacketWatch’s cybersecurity expertise in his latest NewsNation Now story on the Colonial Pipeline ransomware attack.

In the video, Michael McAndrews, PacketWatch CTO, discusses:

  • The impact of malware and ransomware on organizations
  • How we never encourage paying a ransom
  • How planning will help you get ahead of the game
  • The importance of an Incident Response Plan

The Colonial Pipeline cyberattack has disrupted the gas and diesel supply throughout the southeast, creating a frenzy at the pumps and potentially raising the prices of goods and services reliant on fuel for transportation.

You can view the entire 3-minute story “Top US pipeline operator shuts major fuel line after cyber attack“ with contributions from Stephanie Kelly and Christopher Bing on the NewsNation website.

“Ransomware and malware, in general, is a huge problem for companies right now. It puts jobs at risk. It puts livelihoods at risk. It costs companies millions of dollars.”

Michael McAndrews Chief Technology Officer PacketWatch

PacketWatch Featured in an Investigative Story on Ransomware Now Streaming on NewsNation

PacketWatch Featured in an Investigative Story on Ransomware Now Streaming on NewsNation

Blog | News

PacketWatch Featured in an Investigative Story on Ransomware Now Streaming on NewsNation

Emmy-Award-winning investigative journalist Rich McHugh sat down with PacketWatch CTO Michael McAndrews to better understand how and why cyber criminals target their victims.

They discussed the impact of malware and ransomware on companies and how to prepare for a cyberattack. Michael demonstrated how PacketWatch cybersecurity analysts use our proprietary tools to identify anomalous network activities and respond to a cyber incident.

Rich also spoke with a PacketWatch client about her experience with ransomware attacks and how organizations can protect themselves.

You can view the entire 6-minute story “Cyberattack Forces Arizona City Offline for Weeks, Experts Warn of Growing Trend“ hosted by Rob Nelson and Marni Hughes on the NewsNation website.

“Sometimes, the criminals don’t even know who they’ve attacked. They’re simply casting a wide net and opportunity knocked when somebody clicked on a link or went to a bad website and got swept up in ransomware.”

Michael McAndrews Chief Technology Officer PacketWatch

Living Off the Land (LOTL): A Case Study

Living Off the Land (LOTL): A Case Study

Blog | Threat Intelligence Brief

Living Off the Land (LOTL): A Case Study

OVERVIEW

During a recent incident involving LockBit ransomware, we discovered a persistent credential harvester that was hidden as a scheduled task/process. We did a significant amount of investigation before unraveling the clues of what was creating alerts and attempting to beacon-out to certain IP addresses in Latvia.

During this investigation, we uncovered a heavy reliance on inherent functions built into Windows that were abused in order to masquerade as other processes, steal passwords, and exfiltrate them out of the organization.

This behavior is often referred to as “Living Off the Land.” In other words, no malware was used–just clever use of what is already available within the operating system.

 

KEY FINDINGS

Latvian Connection

The use of a Latvian VPN provider was a central part of the attacker’s infrastructure. It was also referred to throughout the scripts in decimal format. The IP address in question, 1484238829, translated to 88[.]119[.]175[.]237 when converted.

 

 

Renaming Powershell

In all cases when Powershell was being used, it was renamed to “modpro.exe.”

 

 

Picking a Name

The scripts would also create a scheduled task, and name it from one of 9 templates:

 

 

Choosing a Birthdate

The newly created tasks would also change their modified dates to be 485 days in the past. This is a process known as “time stomping” and would frustrate any attempts to look for newly created scheduled tasks.

 

 

Conclusion

This malware-less attack was quite sophisticated and complex to unravel. The multiple layers involved and numerous steps associated are all included in our full report. This report also includes references to the different techniques employed and the ATT&CK framework.

IOCs

88.119.175[.]237

88.119.175[.]81

 

More Information

Please see the full report for in-depth details.

 

About PacketWatch

We are threat hunters, investigators, intelligence analysts, and cybersecurity experts with experience in federal law enforcement, national security, and enterprise IT. Leveraging our expertise and our innovative use of technology, we help our clients find security risks that others may miss.

Please visit us at https://packetwatch.com/