RobbinHood

RobbinHood is ransomware that was first observed being used in an attack against the Baltimore city government's computer network.[1][2]

ID: S0400
Type: MALWARE
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface

RobbinHood uses cmd.exe on the victim's computer.[1]

Enterprise T1486 Data Encrypted for Impact

RobbinHood will search for an RSA encryption key and then perform its encryption process on the system files. [1]

Enterprise T1089 Disabling Security Tools

RobbinHood will search for Windows services that are associated with antivirus software on the system and kill the process. [1]

Enterprise T1490 Inhibit System Recovery

RobbinHood deletes shadow copies to ensure that all the data cannot be restored easily. [1]

Enterprise T1126 Network Share Connection Removal

RobbinHood disconnects all network shares from the computer with the command net use * /DELETE /Y.[1]

Enterprise T1489 Service Stop

RobbinHood stops 181 Windows services on the system before beginning the encryption process. [1]

References