FANDOM


RobbinHood is a ransomware that targets companies and the computers on their network.

Payload

Transmission

RobbinHood is distributed through hacked remote desktop services or other Trojans that provide access to the attackers.

Infection

When RobbinHood is executed, it disconnects all network shares from the computer using the following command:

cmd.exe /c net use * /DELETE /Y

Before continuing, the ransomware will attempt to read a public RSA encryption key from C:\Windows\Temp\pub.key. If this key is not present, it will display a message saying that it can't find the file specified and the ransomware will exit. If a key is present, it will continue preparing the victim's computer for encryption.

Next it will stop 181 Windows services associated with antivirus, database, mail server, and other software that could keep files open and prevent their encryption. It does this by issuing the "sc.exe stop" command as shown below:

cmd.exe /c sc.exe stop AVP /y

It stops the following services:

AVP, MMS, ARSM, SNAC, ekrn, KAVFS, RESvc, SamSs, W3Svc, WRSVC, 
bedbg, masvc, SDRSVC, TmCCSF, mfemms, mfevtp, sacsvr, DCAgent, 
ESHASRV, KAVFSGT, MySQL80, POP3Svc, SMTPSvc, Smcinst, SstpSvc, 
TrueKey, mfefire, EhttpSrv, IISAdmin, IMAP4Svc, McShield, MySQL57, 
kavfsslp, klnagent, macmnsvc, ntrtscan, tmlisten, wbengine, 
Antivirus, MSSQL$TPS, SQLWriter, ShMonitor, UI0Detect, sophossps, 
MSOLAP$TPS, MSSQL$PROD, SAVService, SQLBrowser, SmcService, 
swi_filter, swi_update, AcrSch2Svc, EsgShKernel, MBAMService, 
MSSQLSERVER, MsDtsServer, SntpService, VeeamNFSSvc, swi_service, 
AcronisAgent, FA_Scheduler, MSExchangeES, MSExchangeIS, 
MSExchangeSA, MSSQL$ECWDB2, MSSQL$SOPHOS, MSSQL$TPSAMA, 
PDVFSService, ReportServer, SQLAgent$TPS, SQLTELEMETRY, 
VeeamRESTSvc, MSExchangeMTA, MSExchangeSRS, MSOLAP$TPSAMA, 
McTaskManager, SQLAgent$CXDB, SQLAgent$PROD, VeeamCloudSvc, 
VeeamMountSvc, SQL Backups, mozyprobackup, msftesql$PROD, 
swi_update_64, EraserSvc11710, MSExchangeMGMT, MSSQL$BKUPEXEC, 
MSSQL$SQL_2008, MsDtsServer100, MsDtsServer110, SQLSERVERAGENT, 
VeeamBackupSvc, VeeamBrokerSvc, VeeamDeploySvc, Sophos Agent, 
svcGenericHost, EPUpdateService, MBEndpointAgent, MSOLAP$SQL_2008, 
MSSQLFDLauncher, McAfeeFramework, SAVAdminService, SQLAgent$ECWDB2, 
SQLAgent$SOPHOS, SQLAgent$TPSAMA, VeeamCatalogSvc, MSSQL$SHAREPOINT, 
MSSQL$SQLEXPRESS, MSSQL$SYSTEM_BGC, NetMsmqActivator, 
ReportServer$TPS, SepMasterService, TrueKeyScheduler, 
EPSecurityService, MSOLAP$SYSTEM_BGC, MSSQL$PRACTICEMGT, 
SQLAgent$BKUPEXEC, SQLAgent$SQL_2008, SQLSafeOLRService, 
VeeamTransportSvc, Zoolz 2 Service, MSSQL$PRACTTICEBGC, 
MSSQL$VEEAMSQL2012, Sophos MCS Agent, BackupExecJobEngine, 
MSSQL$SBSMONITORING, MSSQLFDLauncher$TPS, MSSQLServerADHelper, 
McAfeeEngineService, OracleClientCache80, ReportServer$TPSAMA, 
SQLAgent$SHAREPOINT, SQLAgent$SQLEXPRESS, SQLAgent$SYSTEM_BGC, 
SQLTELEMETRY$ECWDB2, Sophos MCS Client, BackupExecRPCService, 
MSSQL$VEEAMSQL2008R2, TrueKeyServiceHelper, BackupExecVSSProvider, 
MSSQL$PROFXENGAGEMENT, ReportServer$SQL_2008, SQLAgent$PRACTTICEBGC, 
SQLAgent$PRACTTICEMGT, SQLAgent$VEEAMSQL2012, BackupExecAgentBrowser, 
MSSQLFDLauncher$TPSAMA, MSSQLServerADHelper100, MSSQLServerOLAPService, 
SQLAgent$SBSMONITORING, VeeamDeploymentService, VeeamHvIntegrationSvc, 
Acronis VSS Provider, Sophos Clean Service, ReportServer$SYSTEM_BGC, 
SQLAgent$VEEAMSQL2008R2, Sophos Health Service, Sophos Message Router, 
MSSQLFDLauncher$SQL_2008, SQLAgent$PROFXENGAGEMENT, 
SQLsafe Backup Service, SQLsafe Filter Service, 
SQLAgent$CITRIX_METAFRAME, VeeamEnterpriseManagerSvc, 
BackupExecAgentAccelerator, MSSQLFDLauncher$SHAREPOINT, 
MSSQLFDLauncher$SYSTEM_BGC, Sophos Safestore Service, 
Symantec System Recovery, BackupExecManagementService, 
Enterprise Client Service, Sophos AutoUpdate Service, 
BackupExecDeviceMediaService, Sophos Web Control Service, 
MSSQLFDLauncher$SBSMONITORING, Sophos File Scanner Service, 
McAfeeFrameworkMcAfeeFramework, MSSQLFDLauncher$PROFXENGAGEMENT, 
Sophos Device Control Service, Sophos System Protection Service, 
Veeam Backup Catalog Data Service,

During this preparation stage, RobbinHood will also clear Shadow Volume Copies, clear event logs, and disable the Windows automatic repair by executing the following commands:

vssadmin.exe delete shadows /all /quiet
WMIC shadowcopy delete
wevtutil.exe cl Application
wevtutil.exe cl Security
wevtutil.exe cl System
Bcdedit.exe /set {default} recoveryenabled no
Bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

It then begins to encrypt the victim's targeted files. When encrypting files, an AES key is created for each file. The ransomware will then encrypt the AES key and the original filename with the public RSA encryption key and append it to the encrypted file. Each encrypted file will then be renamed using the format Encrypted_[randomstring].enc_robbinhood.

When encrypting files, RobbinHood will skip any files found in or under the following directories:

ProgramData
Windows
bootmgr
Boot
$WINDOWS.~BT
Windows.old
Temp
tmp
Program Files
Program Files (x86)
AppData
$Recycle.bin
System Volume Information

While running, RobbinHood has the ability to send debug output to the console. This feature is currently disabled in distributed versions of the ransomware and does not have a runtime value to enable it. The ransomware will, though, create numerous log files under the C:\Windows\Temp folder. These files are called rf_, ro_l, and ro_s. It is not currently known what each log file is for other than the rf_s file, which is used to log the creation of ransom notes in each folder.

After encryption has been completed, these log files will be deleted.  Below is an example of some of the debug messages that would be displayed during this cleanup stage if console output was enabled. Furthermore, if console output is enabled in the ransomware, when done encrypting a computer it will display a final message stating "Enjoy buddy :)))".

While encrypting the computer it will also create four different ransom note named _Decrypt_Files.html, _Decryption_ReadMe.html, _Help_Help_Help.html, and _Help_Important.html.

The ransom note says the following:

What happened to your files?
All your files are encrypted with RSA-4096, Read more on 
https://en.wikipedia.org/wiki/RSA_(cryptosystem)
RSA is an algorithm used by modern computers to encrypt and decrypt the data. RSA 
is an asymmetric cryptographic algorithm. Asymmetric means that there are two 
different keys. This is also called public key cryptography, because one of the 
keys can be given to anyone:

1 - We encrypted your files with our "Public key" 
2 - You can decrypt, the encrypted files with specific "Private key" and your 
private key is in our hands ( It's not possible to recover your files without our 
private key )

Is it possible to get back your data?
Yes, We have a decrypter with all your private keys. We have two options to get 
all your data back.
Follow the instructions to get all your data back:

OPTION 1
Step 1 : You must send us 3 Bitcoin(s) for each affected system
Step 2 : Inform us in panel with hostname(s) of the system you want, wait for 
confirmation and get your decrypter
OPTION 2
Step 1 : You must send us 13 Bitcoin(s) for all affected system
Step 2 : Inform us in panel, wait for confirmation and get all your decrypters

Our Bitcoin address is: xxx 

BE CAREFUL, THE COST OF YOUR PAYMENT INCREASES $10,000 EACH DAY AFTER THE FOURTH 
DAY

Access to the panel ( Contact us )
The panel address: http://xbt4titax4pzza6w.onion/xx/

Alternative addresses
https://xbt4titax4pzza6w.onion.pet/xx/
https://xbt4titax4pzza6w.onion.to/xx/
Access to the panel using Tor Browser
If non of our links are accessible you can try tor browser to get in touch with 
us:
Step 1: Download Tor Browser from here: 
https://www.torproject.org/download/download.html.en
Step 2: Run Tor Browser and wait to connect
Step 3: Visit our website at: panel address

If you're having a problem with using Tor Browser, Ask Google: how to use tor 
browser
Wants to make sure we have your decrypter?
To make sure we have your decrypter you can upload at most 3 files (maximum size 
allowance is 10 MB in total) and get your data back as a demo.
Where to buy Bitcoin?
The easiest way is LocalBitcoins, but you can find more websites to buy bitcoin 
using Google Search: buy bitcoin online

These ransom notes contains information as to what has happened to the victims files and a bitcoin address that they can use to make a ransom payment. The ransom payments are currently set at 3 bitcoins per affected system or 13 bitcoins for the entire network.

Community content is available under CC-BY-SA unless otherwise noted.