Baltimore ransomware perp pinky-swears he didn’t use NSA exploit

Enlarge / Oh, Baltimore. (credit: Alex Wroblewski/Getty Images)

Over the past few weeks, a Twitter account that has since been confirmed by researchers to be that of the operator of the ransomware that took down Baltimore City’s networks May 4 has posted taunts of Baltimore City officials and documents demonstrating that at least some data was stolen from a city server. Those documents were posted in response to interactions I had with the ransomware operator in an attempt to confirm that the account was not a prank.

In their last post before the account was suspended by Twitter yesterday, the operator of the Robbinhood account (@robihkjn) answered my question, “Hey, so did you use EternalBlue or not?”:

absolutely not my friend

The account was shut down after its operator posted a profanity and racist-tinged final warning to Baltimore City Mayor Bernard “Jack” Young that he had until June 7 to pay for keys to decrypt files on city computers. “In 7 Jun 2019 that’s your dead line,” the post stated. “We’ll remove all of things we’ve had about your city and you can tell other [expletives] to help you for getting back… That’s final dead line.” The same messages have been posted to the Web “panel” associated with the Baltimore ransomware, according to Joe Stewart, independent security consultant working on behalf of the cloud security firm Armor, and Eric Sifford, security researcher with Armor’s Threat Resistance Unit (TRU).