{ "id": "b210e335-a386-4fc1-9d39-a89f60affe61", "created_at": "2026-04-06T00:11:14.347514Z", "updated_at": "2026-04-10T03:21:44.731075Z", "deleted_at": null, "sha1_hash": "8dd8f28c76dc807bc0f8b7a2e60568e4c689449d", "title": "“RobbinHood” ransomware takes down Baltimore City government networks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 34168, "plain_text": "“RobbinHood” ransomware takes down Baltimore City\r\ngovernment networks\r\nBy Sean Gallagher\r\nPublished: 2019-05-08 · Archived: 2026-04-05 19:10:35 UTC\r\nSystems at a number of Baltimore’s city government departments were taken offline on May 7 by a ransomware\r\nattack. As of 9:00am today, email and other services remain offline. Police, fire, and emergency response systems\r\nhave not been affected by the attack, but nearly every other department of the city government has been affected\r\nin some way.\r\nCalls to the city’s Office of Information Technology are being answered by a recording stating, “We are aware that\r\nsystems are currently down. We are working to resolve the issue as quickly as possible.”\r\nLester Davis, a spokesperson for Baltimore’s Mayor’s office, told the Baltimore Sun’s Ian Duncan that the attack\r\nwas similar to one that hit Greenville, North Carolina, in April.\r\nBaltimore Chief Information Officer Frank Johnson confirmed in a press conference today that the malware was\r\n“the very aggressive RobbinHood ransomware” and that the FBI had identified it as a “fairly new variant” of the\r\nmalware. This new variant of RobbinHood emerged over the past month.\r\nSecurity researcher Vitali Kremez, who recently reverse-engineered a sample of RobbinHood, told Ars that the\r\nmalware appears to target only files on a single system and does not spread through network shares. “It is believed\r\nto be spread directly to the individual machines via psexec and/or domain controller compromise,” Kremez said.\r\n“The reasoning behind it is that the ransomware itself does not have any network spreading capabilities and is\r\nmeant to be deployed for each machine individually.”\r\nThat would mean that the attacker would need to already have gained administrative-level access to a system on\r\nthe network “due to the way the ransomware interacts with C:\\Windows\\Temp directory,” Kremez explained.\r\nIn addition to requiring execution on each individually targeted machine, RobbinHood also requires that a public\r\nRSA key already be present on the targeted computer in order to begin encryption of the files. “That means that\r\nthe attacker likely deploys it in multiple steps, from obtaining access to the network in question, moving laterally\r\nto obtain administrative privileges for a domain controller or via psexec, deploy and save public RSA key and\r\nransomware on each machine and then execute it,” Kremez noted.\r\nSource: https://arstechnica.com/information-technology/2019/05/baltimore-city-government-hit-by-robbinhood-ransomware/\r\nhttps://arstechnica.com/information-technology/2019/05/baltimore-city-government-hit-by-robbinhood-ransomware/\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://arstechnica.com/information-technology/2019/05/baltimore-city-government-hit-by-robbinhood-ransomware/" ], "report_names": [ "baltimore-city-government-hit-by-robbinhood-ransomware" ], "threat_actors": [], "ts_created_at": 1775434274, "ts_updated_at": 1775791304, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8dd8f28c76dc807bc0f8b7a2e60568e4c689449d.pdf", "text": "https://archive.orkl.eu/8dd8f28c76dc807bc0f8b7a2e60568e4c689449d.txt", "img": "https://archive.orkl.eu/8dd8f28c76dc807bc0f8b7a2e60568e4c689449d.jpg" } }