The sub-techniques beta is now live! Read the release blog post for more info.


RobbinHood is ransomware that was first observed being used in an attack against the Baltimore city government's computer network.[1][2]

ID: S0400
Platforms: Windows
Version: 1.0
Created: 29 July 2019
Last Modified: 29 July 2019

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface

RobbinHood uses cmd.exe on the victim's computer.[1]

Enterprise T1486 Data Encrypted for Impact

RobbinHood will search for an RSA encryption key and then perform its encryption process on the system files. [1]

Enterprise T1089 Disabling Security Tools

RobbinHood will search for Windows services that are associated with antivirus software on the system and kill the process. [1]

Enterprise T1490 Inhibit System Recovery

RobbinHood deletes shadow copies to ensure that all the data cannot be restored easily. [1]

Enterprise T1126 Network Share Connection Removal

RobbinHood disconnects all network shares from the computer with the command net use * /DELETE /Y.[1]

Enterprise T1489 Service Stop

RobbinHood stops 181 Windows services on the system before beginning the encryption process. [1]