1. Home
  2. Software
  3. RobbinHood

RobbinHood

RobbinHood is ransomware that was first observed being used in an attack against the Baltimore city government's computer network.[1][2]

ID: S0400
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 29 July 2019
Last Modified: 25 April 2025
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

RobbinHood uses cmd.exe on the victim's computer.[1]
Enterprise T1486 Data Encrypted for Impact

RobbinHood will search for an RSA encryption key and then perform its encryption process on the system files.[1]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

RobbinHood will search for Windows services that are associated with antivirus software on the system and kill the process.[1]

Enterprise T1070 .005 Indicator Removal: Network Share Connection Removal

RobbinHood disconnects all network shares from the computer with the command net use * /DELETE /Y.[1]
Enterprise T1490 Inhibit System Recovery

RobbinHood deletes shadow copies to ensure that all the data cannot be restored easily.[1]

Enterprise T1489 Service Stop

RobbinHood stops 181 Windows services on the system before beginning the encryption process.[1]

References

  1. Lee, S. (2019, May 17). CB TAU Threat Intelligence Notification: RobbinHood Ransomware Stops 181 Windows Services Before Encryption. Retrieved July 29, 2019.
  1. Duncan, I., Campbell, C. (2019, May 7). Baltimore city government computer network hit by ransomware attack. Retrieved July 29, 2019.