SOFTWARE
SOFTWARE
A-B
C-D
E-F
G-H
I-J
K-L
M-N
O-P
Q-R
S-T
U-V
W-X
RobbinHood
RobbinHood is ransomware that was first observed being used in an attack against the Baltimore city government's computer network.[1][2]
ID: S0400
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 29 July 2019
Last Modified: 30 March 2020
Techniques Used
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
RobbinHood uses cmd.exe on the victim's computer.[1] |
Enterprise | T1486 | Data Encrypted for Impact |
RobbinHood will search for an RSA encryption key and then perform its encryption process on the system files.[1] |
|
Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
RobbinHood will search for Windows services that are associated with antivirus software on the system and kill the process.[1] |
Enterprise | T1070 | .005 | Indicator Removal on Host: Network Share Connection Removal |
RobbinHood disconnects all network shares from the computer with the command |
Enterprise | T1490 | Inhibit System Recovery |
RobbinHood deletes shadow copies to ensure that all the data cannot be restored easily.[1] |
|
Enterprise | T1489 | Service Stop |
RobbinHood stops 181 Windows services on the system before beginning the encryption process.[1] |
References
×