Cyber Incident Victim: City of Greenville

On or around April 10, 2019, the City of Greenville, North Carolina, experienced a ransomware attack attributed to the RobbinHood strain, forcing an immediate shutdown of its municipal network. The attackers infiltrated the network and encrypted files across multiple systems, appending filenames with extensions like "Encrypted_b0a6c73e3e434b63.enc_robbinhood" to denote compromised data. Four distinct ransom notes—_Decryption_ReadMe.html, _Decrypt_Files.html, _Help_Help_Help.html, and _Help_Important.html—were deployed simultaneously, directing victims to Tor-based payment portals hosted at xbt4titax4pzza6w.onion and its .pet/.to mirror addresses. The ransom demand offered two payment tiers: 3 bitcoins to decrypt a single workstation or 7 bitcoins for full network restoration, with a $10,000 daily penalty increase after the fourth day. Attackers asserted the use of RSA-4096 asymmetric encryption, claiming exclusive control over the private keys required for decryption. Notably, the ransomware operators emphasized victim privacy, stating they would delete encryption keys and IP addresses post-payment and discouraging breach disclosure by assuring no network data resided on their servers.

The City of Greenville initiated containment by disconnecting its network upon detecting the encryption activity, halting municipal operations while assessing the compromise scope. Law enforcement agencies, including the FBI, National Guard Cyber Strike Team, State IT, and State Emergency Management, were engaged to investigate the intrusion. No evidence suggested payment was made by Greenville or other observed RobbinHood victims at the time of reporting. Operational disruption persisted as recovery efforts and forensic analysis continued, with no public confirmation of data restoration or decryption success. The incident highlighted RobbinHood’s network-wide encryption tactic and its psychological leverage through privacy assurances to incentivize ransom payments without regulatory exposure.