ATT&CK sub-techniques have now been released! Take a tour, read the blog post or release notes, or see the previous version of the site.

SOFTWARE

Android/Chuli.A

ANDROIDOS_ANSERVER.A

AutoIt backdoor

Backdoor.Oldrea

Exaramel for Linux

Exaramel for Windows

Hacking Team UEFI Rootkit

Imminent Monitor

Olympic Destroyer

OSX_OCEANLOTUS.D

Pass-The-Hash Toolkit

Pegasus for Android

Pegasus for iOS

ShimRatReporter

Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.OpFake.a

Trojan.Karagany

Windows Credential Editor

Winnti for Linux

Winnti for Windows

X-Agent for Android

SOFTWARE

1-9

A-B

Android/Chuli.A

ANDROIDOS_ANSERVER.A

AutoIt backdoor

Backdoor.Oldrea

C-D

E-F

Exaramel for Linux

Exaramel for Windows

G-H

Hacking Team UEFI Rootkit

I-J

Imminent Monitor

K-L

M-N

O-P

Olympic Destroyer

OSX_OCEANLOTUS.D

Pass-The-Hash Toolkit

Pegasus for Android

Pegasus for iOS

Q-R

S-T

ShimRatReporter

Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.OpFake.a

Trojan.Karagany

U-V

W-X

Windows Credential Editor

Winnti for Linux

Winnti for Windows

X-Agent for Android

Y-Z

RobbinHood

RobbinHood is ransomware that was first observed being used in an attack against the Baltimore city government's computer network.^[1]^[2]

ID: S0400

Type: MALWARE

Platforms: Windows

Version: 1.1

Created: 29 July 2019

Last Modified: 30 March 2020

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Enterprise	T1059	.003	Command and Scripting Interpreter: Windows Command Shell	RobbinHood uses cmd.exe on the victim's computer.^[1]
Enterprise	T1486		Data Encrypted for Impact	RobbinHood will search for an RSA encryption key and then perform its encryption process on the system files.^[1]
Enterprise	T1562	.001	Impair Defenses: Disable or Modify Tools	RobbinHood will search for Windows services that are associated with antivirus software on the system and kill the process.^[1]
Enterprise	T1070	.005	Indicator Removal on Host: Network Share Connection Removal	RobbinHood disconnects all network shares from the computer with the command `net use * /DELETE /Y`.^[1]
Enterprise	T1490		Inhibit System Recovery	RobbinHood deletes shadow copies to ensure that all the data cannot be restored easily.^[1]
Enterprise	T1489		Service Stop	RobbinHood stops 181 Windows services on the system before beginning the encryption process.^[1]

References

Lee, S. (2019, May 17). CB TAU Threat Intelligence Notification: RobbinHood Ransomware Stops 181 Windows Services Before Encryption. Retrieved July 29, 2019.

Duncan, I., Campbell, C. (2019, May 7). Baltimore city government computer network hit by ransomware attack. Retrieved July 29, 2019.