The cybercriminals responsible for the RobbinHood ransomware must have been inspired by the legendary bandit from English folklore Robin Hood, but this ransomware is not a heroic outlaw.
Like most other threats of its kind, RobbinHood ransomware uses RSA and AES encryption algorithms and asks the victims to contact the malware owners through an Onion Tor website. The exact vector of distribution of the examined samples is unknown, yet RobbinHood likely spreads through unprotected remote desktop protocols or Trojans that have previously provided the attackers with access to the target system. Spam emails with malicious attachments or corrupted Internet links are also a common propagation method of similar ransomware threats.
RobbinHood Targets Each System Individually
Malware researchers have managed to reverse engineer one of the scarcely available samples of RobbinHood ransomware, and their analysis has revealed some interesting features. Upon execution, the malware uses a specific command to disconnect all network shares from the infected computer, meaning that other computers from the same network are not encrypted via connected shares.
Rather, RobbinHood targets each machine individually, which indicates that the attackers push the malicious payload to each individual computer through a domain controller or a framework like EmpirePowerShell.
Then, the malware attempts to read an RSA encryption key from the Windows Temporary folder. If it is unable to find such a key, RobbinHood displays a message that the system cannot find the specified file and then quits its execution.
If the searched key is present, however, the ransomware continues with the file encryption. As a next step, the malware quits 181 Windows services related to database, antivirus, and mail server programs, as well as to any other software that could keep files open and prevent their encryption. Next, during this preparation phase, RobbinHood clears event logs, Shadow Volume Copies and disables the Windows automatic repair function.
RobbinHood Ransomware Creates Four Ransom Notes
After the ransomware infiltrates the machine and the installation of its payload is complete, RobbinHood ransomware starts the actual encryption, creating an AES key for each file. Then, the AES key is locked up, while the original file name is encrypted with the public RSA key and altered to the file format ‘Encrypted_’ plus ‘random string’ and ‘.enc_robbinhood’ as the file extension.
Encrypted_[RANDOM STRING].enc_robbinhood
This ransomware skips files in certain directories, like Program Data, Windows, Boot, Temp, Program Files, tmp, AppData, System Volume Information, and others. Another uncommon feature of RobbinHood is that it creates numerous log files named “rf_s,” “ ro_l,” and “ro_s” in the C Drive, which are deleted after encryption is complete.
The “rf_s” file logs the creation of ransom notes in each folder, however, the purpose of the other log files is not known yet. In some cases, a final message “Done, Enjoy buddy:)))” appears to indicate that encryption has been completed.
During the encryption process, the ransomware creates four different ransom notes named “_Help_Help_Help.html,” ” _Decrypt_Files.html,” “ _Help_Important.html,” and “_Decryption_ReadMe.html.”
These ransom notes inform the victim about what has happened to their files and state the Bitcoin address that should be used to make the ransom payment. The latest variants of RobbinHood ransomware demand 3 Bitcoin for the decryption of one affected system, and 13 Bitcoin for the entire network. Some of the older variants demanded 7 Bitcoin for all affected systems. There are also reports which claim that some RobbinHood ransomware samples threaten to impose a $10,000 penalty per day to victims who do not pay, starting from the fourth day of encryption.
Another interesting detail that is not observed in many ransomware threats out there is a surprising claim made by its creators. They state they value the victim’s privacy and would delete all data related to a particular user, like IP addresses or encryption keys, as soon as the ransom payment has been made.
Also, RobbinHood ransomware’s contact page says that ransom payments cannot be tracked as an individual Bitcoin address is set up freshly for each victim. The attackers insist on honesty as well – they offer to decrypt three files of up to 10 MB for free.
Significant Attacks of RobbinHood Ransomware
One of the known major attacks of RobbinHood ransomware happened on May 7, 2019, when Baltimore, Maryland’s city government got paralyzed for weeks. News agencies reported at that time that the servers of the city’s administration had been breached by a hacking tool allegedly developed by the National Security Agency which had landed in the hands of cybercriminals.
Later, it was confirmed that the incident was caused by RobbinHood ransomware. As a result of the attack, the city’s entire digital content had been locked so that the government emails were down, no real estate transactions could be processed, and no payments to city departments could be made online.
Baltimore City Mayor Jack Young stated that the city would not pay the demanded ransom of 13 Bitcoin (equal to $100,000), while the FBI and the Secret Service started an investigation.
Another RobbinHood ransomware attack affected the network of the City of Greenwell, North Carolina in April of 2019. Responsible law authorities and cybersecurity experts are currently still working to solve that case as well, and hope to land clues to prevent the next unwanted appearance of Robbinhood ransomware.
