Robbinhood is one of several ransomware of the same name. However, this specific ransomware family is misspelled (with two 'b's). Whether that's intentional or not, who knows? Nevertheless, we call it a ransomware "family" because the debug paths in many of the encryptor executables indicate versioning for the encryptors. The changes were relatively minor, but the last known executable we know of ends at version 7 - Robbinhood7. Each version/variant encrypts the user's files with a combination of AES and RSA: AES encrypts each file, and RSA encrypts the AES key. Many Robbinhood encryptors look for an RSA public key at 'C:/Windows/Temp/key.pub' before encryption can begin. If it doesn't exist, encryption will not occur. Public analyses indicate the operators used RSA-4096, but we verified that an RSA-1024 public key also worked.
After encryption, the ransomware drops four ransom notes in almost every sample we encountered. All four are HTML files with stereotypical ransom note names (see below for examples). The operators demand a ransom of 0.8 BTC for each affected system in your network or 13 BTC to pay for all systems. Some ransom notes specified 3 BTC for each system and 7 BTC for the entire network. Failure to pay will increase to $10,000 daily after the fourth day of nonpayment.
Before the ransomware encryption even comes into question, the Robbinhood operators exploited systems by installing a vulnerable GIGABYTE driver cosigned by Microsoft and exploiting it to disable Microsoft's driver signature enforcement feature. The vulnerability in question is documented here: https://seclists.org/fulldisclosure/2018/Dec/39. From there, they install an additional driver that disables security mechanisms within Windows before deploying the final ransomware encryptor.
Robbinhood is most known for encrypting systems of the Baltimore, Maryland, and Greenville, North Carolina governments in 2019.
Ransom Note Name(8)
Samples (SHA-256)(8)
Industry Sector | Country | Extortion Date | Amount (USD) |
---|---|---|---|
Government | United States | 13 BTC($76,280) | |
Government | United States |