The operators behind the RobbinHood ransomware have changed their language in the ransom note, at least in one variant of the malware, to take from victims all hope of decrypting the files for free and to make them pay for the recovery.
Boastful and arrogant in their message, the cybercriminals point to past incidents involving their ransomware, which ended with victims paying much more than the ransom demand.
Building a reputation
They emphasize the fact that there is no decryption tool available for the encryption scheme implemented in RobbinHood ransomware, so it is "impossible to recover" the files without the private key and their unlocking software.
To make sure victims get their message, the cybercriminals direct them to search for two incidents earlier this year involving RobbinHood, which affected systems in Greenville, North Carolina, and the more famous one on May 7 impacting the servers of Baltimore City.
While opportunistic, the Baltimore attack made the rounds because of the high costs that it generated. The initial demand from the hackers was $76,000 to decrypt data on all affected machines but the recovery efforts ended up costing the administration $4.6 million.
The losses do not stop at this, though, as the city estimated spending another $5.4 million by the end of the year. And these $10 million do not include the potentially lost or delayed revenue from fines, property taxes, and other fees.
According to CBS Baltimore in June, the city "put more than $18 million into the attack." In more recent news, the administration at the end of August voted to spend $6 million on "cyber-attack remediation and hardening of the environment," informs Baltimore Sun.
It should be noted, though, that a bill this large was not RobbinHood's only doing. How the incident was managed and the security defenses before the attack are the main reason for the high costs.
Reaping the benefits
This attack alone is enough to create a reputation and RobbinHood operators are now using this to their advantage. It is well-known that this particular ransomware targets organizations and spreads through hacked remote desktop services or other malware.
The new ransomware note, spotted by Joakim Kennedy in a new RobbinHood variant, lets the victim know that the threat actor had been lurking for some time on the local network, to learn the ropes and achieve a wider spread - the ransom can be paid per infected system or for all of them.
"You must pay us in 4 days, if you don't pay in the specified duration, the price increases $10,000 each day after that period. After 10 days your keys and your panel will be removed automatically," reads the ransom note.
The instructions warn the victim not to work with the FBI or other security organizations, or to upload files to the VirusTotal scanning platform. Most importantly, turning off the systems, renaming the files or trying to recover the computer "will damage your files," the warning goes.
Indeed, a public decryption tool is not available for the moment. But paying the ransom should not be the only way out of a RobbinHood incident. A proper backup system with restricted access that stores copies offsite is a good response for any ransomware attack.
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now