RobbinHood Ransomware Stops 181 Windows Services Before Encryption

Posted by & filed under Security Alerts.

According to source articles, RobbinHood ransomware has been discovered and it will stop 181 Windows services prior to the encryption taking place. It is thought that the ransomware might not be distributed through a typical spam campaign, but instead via other methods such as hacked remote desktop (RDP) services. Following is the ransom note created by the ransomware.

Behavioral Summary

Upon execution, it will stop/taskkill various Windows services that are associated with antivirus, database, and other software that could keep files open and prevent the encryption process. At the same time, it also disconnects all network shares from the computer with the command “cmd.exe /c net use * /DELETE /Y”.

In addition, it will attempt to look for a public RSA encryption key from the directory “C:\Windows\Temp\pub.key”. If the public key is not present, it will display the following message and stop the encryption process.

If the public key is present then it will start the encryption routine and append “Encrypted_[randomstring].enc_robbinhood” as the file extension to the encrypted file. During the encryption process, it will create the following log files under the temp folder and they will be deleted after the encryption is done:

 

 

  • C:\Windows\Temp\rf_s
  • C:\Windows\Temp\ro_l
  • C:\Windows\Temp\ro_s

It will also create several copies of the same ransom note with the following filenames:

  • _Decrypt_Files.html
  • _Decryption_ReadMe.html
  • _Help_Help_Help.html
  • _Help_Important.html

After the encryption of files is complete, it will delete shadow copies to ensure that all the data cannot be restored easily. Following is the screenshot of the created ransom notes and encrypted file on the infected computer.

Remediation:

MITRE ATT&CK TIDs  

TID Tactic Description
T1059 Execution Command-Line Interface: Cmd used to stop/kill various Windows services
T1089 Defense Evasion Disabling Security Tools: RobbinHood will stop/kill antivirus services
T1126 Defense Evasion Network Share Connection Removal: RobbinHood will disconnects all network shares from the computer
T1022 Exfiltration Data Encrypted: Ransomware to encrypt data
T1107 Defense Evasion Shadow Copy Deletion by WMIC Or VSSAdmin

Indicators of Compromise (IOCs)

Indicator Type Context
3bc78141ff3f742c5e942993adfbef39c2127f9682a303b5e786ed7f9a8d184b

aace43af8d0932a7b01c5b8fb71c8199

SHA256

MD5

RobbinHood Ransomware
21cb84fc7b33e8e31364ff0e58b078db8f47494a239dc3ccbea8017ff60807e3

8c2a236877dd2b707c7b940276028e40

SHA256

MD5

RobbinHood Ransomware
27f9f740263b73a9b7e6dd8071c8ca2b2c22f310bde9a650fc524a4115f2fa14

d80a899168e859c4daea95b64f90645c

SHA256

MD5

RobbinHood Ransomware
9977ba861016edef0c3fb38517a8a68dbf7d3c17de07266cfa515b750b0d249e

a6d61654e6af6f1fa417229aa2da76f2

SHA256

MD5

RobbinHood Ransomware
4e58b0289017d53dda4c912f0eadf567852199d044d2e2bda5334eb97fa0b67c

edfec708d2b6686beb55e449fb55d11e

SHA256

MD5

RobbinHood Ransomware
e128d5aa0b5a9c6851e69cbf9d2c983eefd305a10cba7e0c8240c8e2f79a544f

73d43cf4aecf2dc55ef61ab17dfbb147

SHA256

MD5

RobbinHood Ransomware

 

The information contained in this website is for general information purposes only. The information is gathered from carbonblack while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.