A Twitter user going by the name Robbinhood has made claims and provided evidence that they were behind the ransomware attack on the City of Baltimore. As evidence, the user provided screenshots of documents stolen from the city’s servers, as well as screenshots of conversations with city employees through the ransomware’s Tor-based chat. The user’s account has since been removed by Twitter for a final message posted to the Mayor of Baltimore which was riddled with expletives and racist comments. Prior to the account deactivation, the user was asked whether they had utilized EternalBlue in the attack or not, to which they responded that they had not. Throughout the ransomware attack, it has been claimed that EternalBlue was utilized. Officials in Baltimore have claimed that the federal government needs to intervene and provide assistance because EternalBlue was one of the tools stolen from the NSA. Even before the hacker claiming to be behind the attack stated that they had not utilized EternalBlue, it was pointed out to the City of Baltimore that they have had two years to patch the vulnerability that EternalBlue leverages. The amount of publicity being gained by Robbinhood releasing the information that they have is unusual when an attacker is still awaiting the ransom payment
It is possible that Robbinhood is hoping to use this publicity and notoriety to move into the realm of Ransomware-as-a-Service.