Ransomware - Robbinhood

Robbinhood
Aliases
Robinhood
Enc_Robbinhood
Decryptor Available
No
Description

Robbinhood is one of several ransomware of the same name. However, this specific ransomware family is misspelled (with two 'b's). Whether that's intentional or not, who knows? Nevertheless, we call it a ransomware "family" because the debug paths in many of the encryptor executables indicate versioning for the encryptors. The changes were relatively minor, but the last known executable we know of ends at version 7 - Robbinhood7. Each version/variant encrypts the user's files with a combination of AES and RSA: AES encrypts each file, and RSA encrypts the AES key. Many Robbinhood encryptors look for an RSA public key at 'C:/Windows/Temp/key.pub' before encryption can begin. If it doesn't exist, encryption will not occur. Public analyses indicate the operators used RSA-4096, but we verified that an RSA-1024 public key also worked.

After encryption, the ransomware drops four ransom notes in almost every sample we encountered. All four are HTML files with stereotypical ransom note names (see below for examples). The operators demand a ransom of 0.8 BTC for each affected system in your network or 13 BTC to pay for all systems. Some ransom notes specified 3 BTC for each system and 7 BTC for the entire network. Failure to pay will increase to $10,000 daily after the fourth day of nonpayment.

Before the ransomware encryption even comes into question, the Robbinhood operators exploited systems by installing a vulnerable GIGABYTE driver cosigned by Microsoft and exploiting it to disable Microsoft's driver signature enforcement feature. The vulnerability in question is documented here: https://seclists.org/fulldisclosure/2018/Dec/39. From there, they install an additional driver that disables security mechanisms within Windows before deploying the final ransomware encryptor.

Robbinhood is most known for encrypting systems of the Baltimore, Maryland, and Greenville, North Carolina governments in 2019.

Ransomware Type
Crypto-Ransomware
First Seen
Last Seen
Extortion Types
Blackmail
Direct Extortion
Double Extortion
Extortion Price Increases
Extortion Timeout
Extortion Amounts
Amount
13BTC($76,280)
Communication
Medium
Identifier
Web Chat
Web Chat
Web Chat
Encryption
Type
Hybrid
Files
AES-256
Key
RSA-4096
Crypto Wallets
Blockchain Type
Crypto Wallet
BTC
132wg6kkJJ4MpNKnuhVoptYPmYHf6C5xHE
File Extension
Encrypted_<random alphanumeric string>.enc_robbin_hood
Encrypted_<random alphanumeric string>.enc_robbinhood
Encrypted_<random alphanumeric string>.rbhd
_Decrypt_Files.html
_Decryption_ReadMe.html
_Help_Help_Help.html
_Help_Important.html
_Readme_Decrypt__Files.html
_Readme_Help_Important.html
_Readme_Help_Help_Help.html
_Readme_Recovery_ReadMe.html
07a133bda8f5039c30b4118167d1c2e79906c79ea52ed73f1767921ce146d97d
3bc78141ff3f742c5e942993adfbef39c2127f9682a303b5e786ed7f9a8d184b
47d892da6a49b02a2904bdc0d03ecef66c076481d19ab19251d86d11be494765
7c7ef3ab31ab91a7379bc2e3f32473dfa7adf662d0c640ef994103f6022a092b
9ffacdba165181e10bedbecce31143bb65b7e59e560e36e561b149295742d085
cda83bc9958c3f82e41ad5bb1816e936df7dfdf4630937d6636d0ad725759784
e2ae71899ee9cd748c95b4ce3df103106b9d943bd69e657f6d194ac33790f261
e9188ace227b00cbf1f6fba3ceb32af8e4d456c3a0815300a224a9d9e00778a8
Known Victims
Industry Sector Country Extortion Date Amount (USD)
GovernmentUnited States 13 BTC($76,280)
GovernmentUnited States