JUST RELEASED: ATT&CK for Industrial Control Systems


RobbinHood is ransomware that was first observed being used in an attack against the Baltimore city government's computer network.[1][2]

ID: S0400
Platforms: Windows
Version: 1.0
Created: 29 July 2019
Last Modified: 29 July 2019

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface

RobbinHood uses cmd.exe on the victim's computer.[1]

Enterprise T1486 Data Encrypted for Impact

RobbinHood will search for an RSA encryption key and then perform its encryption process on the system files. [1]

Enterprise T1089 Disabling Security Tools

RobbinHood will search for Windows services that are associated with antivirus software on the system and kill the process. [1]

Enterprise T1490 Inhibit System Recovery

RobbinHood deletes shadow copies to ensure that all the data cannot be restored easily. [1]

Enterprise T1126 Network Share Connection Removal

RobbinHood disconnects all network shares from the computer with the command net use * /DELETE /Y.[1]

Enterprise T1489 Service Stop

RobbinHood stops 181 Windows services on the system before beginning the encryption process. [1]