Blog / RobbinHood & his MerryMenn Collect Ransom(ware) – Have a Plan of Action to Manage (Cyber) Outlaw Attacks…
Maybe you’ve heard about it; maybe you haven’t, but the City of Baltimore is just getting over a serious Ransomware Attack. It took out a huge portion of their infrastructure and caused a massive amount of disruption.
To give them some credit, they elected not to pay the ransom. This is the approach encouraged by every Law Enforcement and Security firm out there.
The city has now pretty much sorted out the issues. They had 10,000 machines infected and it cost them around 10 million USD to get things sorted out. Considering that out of those 10,000 machines most of them were likely desktops that didn’t have backups, that’s about 1000 USD per machine. This would include the man hours to wipe the machine, as well as reinstalling all the necessary software. Depending on the licensing, some software would need to be purchased again. Honestly, that’s a good average.
It’s also estimated to have cost them about 8 million USD in revenue. So overall the impact on the organization was very serious.
Now then, for all the good things I’ve said so far, lets talk about their failings: They were infected by the WannaCry Ransomware. This spread by making use of the EternalBlue exploit. This was made famous two years ago, as one of the tools stolen from the NSA and made public by The Shadow Brokers.
The patch for this has been available for all versions of Windows for two years now. This tells me that the City of Baltimore had at least 10,000 un-patched Windows’ machines in their network, after two years.
So, you would think that was the end of it; right?
Wrong! Shortly after they cleared that up, it was announced they were infected with another strain of Ransomware: a new variant called RobbinHood. Unlike Wannacry, it doesn’t make use of an exploit for initial infection. It just needs to be executed somehow (Compromised machine, Spam email, etc.) When it runs, it will try to shut down a whole list of Antimalware and Security Services, to avoid detection.
According to many reports, it’s installed after an attacker compromises an RDP connection.
Something else that’s been in the news recently, is an RDP exploit, as well as a Botnet using brute force attack methods, to compromise open RDP connections on the Internet.
As to how they got infected with a new strain of Ransomware, they haven’t said so. However, since they did not install one patch for more than 2 years, that certainly seems like a strong possibility.
It’s important to have a Plan of Action for what to do, in case you get infected with Ransomware. First off, assume you will be infected. Second, assume everything will be infected; then simply proceed from there. It’s really not too hard:
1) Restore servers from backup
So, to do that you need to make sure you have a proper set of backups for your servers and that those backups are monitored and tested on a regular basis.
2) Make sure you have an accurate record of the software installed on your desktops
This is to make sure you know what to reinstall on everyone’s computer.
3) Put some kind of Ransomware detection in place
Remember the plan assumes you’ve been infected, meaning the Ransomware has gone undetected by Antimalware software. There is software that will detect the activity of Ransomware software.
Depending on the software you use, this may mean some additional purchases, to recover properly. It will also likely mean some overtime to get this done in a timely fashion. You can now set-up a fund to help cover those costs. With a plan in place, you can also put some effort into minimizing those costs and streaming the process. It may even help identify inefficiencies with current procedures.
If you have any questions about Ransomware Protection, you can always reach out to your TRINUS Account Manager for stress-free IT.
By kind courtesy of Your Friendly Neighbourhood Cyberman.