RobbinHood is ransomware that was first observed being used in an attack against the Baltimore city government's computer network.[1][2]

ID: S0400
Platforms: Windows
Version: 1.1
Created: 29 July 2019
Last Modified: 30 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

RobbinHood uses cmd.exe on the victim's computer.[1]

Enterprise T1486 Data Encrypted for Impact

RobbinHood will search for an RSA encryption key and then perform its encryption process on the system files.[1]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

RobbinHood will search for Windows services that are associated with antivirus software on the system and kill the process.[1]

Enterprise T1070 .005 Indicator Removal: Network Share Connection Removal

RobbinHood disconnects all network shares from the computer with the command net use * /DELETE /Y.[1]

Enterprise T1490 Inhibit System Recovery

RobbinHood deletes shadow copies to ensure that all the data cannot be restored easily.[1]

Enterprise T1489 Service Stop

RobbinHood stops 181 Windows services on the system before beginning the encryption process.[1]