1. Home
  2. Software
  3. RobbinHood

RobbinHood

RobbinHood is ransomware that was first observed being used in an attack against the Baltimore city government's computer network.[1][2]

ID: S0400
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 29 July 2019
Last Modified: 30 March 2020
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

RobbinHood uses cmd.exe on the victim's computer.[1]
Enterprise T1562 .001 妨碍防御: Disable or Modify Tools

RobbinHood will search for Windows services that are associated with antivirus software on the system and kill the process.[1]

Enterprise T1486 数据加密以实现影响

RobbinHood will search for an RSA encryption key and then perform its encryption process on the system files.[1]

Enterprise T1489 服务停止

RobbinHood stops 181 Windows services on the system before beginning the encryption process.[1]

Enterprise T1070 .005 移除指标: Network Share Connection Removal

RobbinHood disconnects all network shares from the computer with the command net use * /DELETE /Y.[1]
Enterprise T1490 系统恢复抑制

RobbinHood deletes shadow copies to ensure that all the data cannot be restored easily.[1]

References

  1. Lee, S. (2019, May 17). CB TAU Threat Intelligence Notification: RobbinHood Ransomware Stops 181 Windows Services Before Encryption. Retrieved July 29, 2019.
  1. Duncan, I., Campbell, C. (2019, May 7). Baltimore city government computer network hit by ransomware attack. Retrieved July 29, 2019.