SOFTWARE
Arp
at
cmd
Dok
FTP
Net
Orz
Reg
RTM
Tor
yty
SOFTWARE
1-9
A-B
Arp
at
C-D
cmd
Dok
E-F
FTP
G-H
I-J
K-L
M-N
Net
O-P
Orz
Q-R
Reg
RTM
S-T
Tor
U-V
W-X
Y-Z
yty
  1. Home
  2. Software
  3. RobbinHood

RobbinHood

RobbinHood is ransomware that was first observed being used in an attack against the Baltimore city government's computer network.[1][2]

ID: S0400
Type: MALWARE
Platforms: Windows
Version: 1.0
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface

RobbinHood uses cmd.exe on the victim's computer.[1]
Enterprise T1486 Data Encrypted for Impact

RobbinHood will search for an RSA encryption key and then perform its encryption process on the system files. [1]
Enterprise T1089 Disabling Security Tools

RobbinHood will search for Windows services that are associated with antivirus software on the system and kill the process. [1]
Enterprise T1490 Inhibit System Recovery

RobbinHood deletes shadow copies to ensure that all the data cannot be restored easily. [1]
Enterprise T1126 Network Share Connection Removal

RobbinHood disconnects all network shares from the computer with the command net use * /DELETE /Y.[1]
Enterprise T1489 Service Stop

RobbinHood stops 181 Windows services on the system before beginning the encryption process. [1]

References

  1. Lee, S. (2019, May 17). CB TAU Threat Intelligence Notification: RobbinHood Ransomware Stops 181 Windows Services Before Encryption. Retrieved July 29, 2019.
  1. Duncan, I., Campbell, C. (2019, May 7). Baltimore city government computer network hit by ransomware attack. Retrieved July 29, 2019.