'.robbinhood File Extension' Ransomware

RobbinHood Ransomware ('.robbinhood File Extension' Ransomware) is among the latest encrypting malware threats that have appeared on the market recently. Samples of this new ransomware are hard to find, and there is still very little research, yet available data shows that it has been originally written in Google’s Go programming language and then compiled into a 32-bit executable. Like most other threats of that kind, RobinHood uses RSA and AES encryption algorithms and asks the victims to contact the malware owners through an Onion Tor website. The exact vector of distribution of the examined samples is unknown, yet RobbinHood likely spreads through unprotected remote desktop protocols or Trojans that have previously provided the attackers with access to the target system. Spam emails with malicious attachments or corrupted Internet links are also a common propagation method of ransomware threats.

This Week in Malware Episode 4: Robbinhood Ransomware

Another Bandit Pretending to be the Well-Intentioned Robbin Hood

The '.robbinhood File Extension' Ransomware attack is typical of these threats and seems to be based on HiddenTear, an open source encryption ransomware platform that has been responsible for countless variants of encryption ransomware attacks. The '.robbinhood File Extension' Ransomware targets the user-generated files in its attack, which may include files with the following file extensions:

.jpg, .jpeg, .raw, .tif, .gif, .png, .bmp, .3dm, .max, .accdb, .db, .dbf, .mdb, .pdb, .sql, .dwg, .dxf, .cpp, .cs, .h, .php, .asp, .rb, .java, .jar, .class, .py, .js, .aaf, .aep, .aepx, .plb, .prel, .prproj, .aet, .ppj, .psd, .indd, .indl, .indt, .indb, .inx, .idml, .pmd, .xqx, .xqx, .ai, .eps, .ps, .svg, .swf, .fla, .as3, .as, .txt, .doc, .dot, .docx, .docm, .dotx, .dotm, .docb, .rtf, .wpd, .wps, .msg, .pdf, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, .xlsb, .xla, .xlam, .xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .wav, .mp3, .aif, .iff, .m3u, .m4u, .mid, .mpa, .wma, .ra, .avi, .mov, .mp4, .3gp, .mpeg, .3g2, .asf, .asx, .flv, .mpg, .wmv, .vob, .m3u8, .dat, .csv, .efx, .sdf, .vcf, .xml, .ses, .qbw, .qbb, .qbm, .qbi, .qbr , .cnt, .des, .v30, .qbo, .ini, .lgb, .qwc, .qbp, .aif, .qba, .tlg, .qbx, .qby , .1pa, .qpd, .txt, .set, .iif, .nd, .rtp, .tlg, .wav, .qsm, .qss, .qst, .fx0, .fx1, .mx0, .fpx, .fxr, .fim, .ptb, .ai, .pfb, .cgn, .vsd, .cdr, .cmx, .cpt, .csl, .cur, .des, .dsf, .ds4, , .drw, .eps, .ps, .prn, .gif, .pcd, .pct, .pcx, .plt, .rif, .svg, .swf, .tga, .tiff, .psp, .ttf, .wpd, .wpg, .wi, .raw, .wmf, .txt, .cal, .cpx, .shw, .clk, .cdx, .cdt, .fpx, .fmv, .img, .gem, .xcf, .pic, .mac, .met, .pp4, .pp5, .ppf, .nap, .pat, .ps, .prn, .sct, .vsd, .wk3, .wk4, .xpm, .zip, .rar.

The '.robbinhood File Extension' Ransomware uses a strong encryption algorithm to overwrite the affected data, making it inaccessible. The '.robbinhood File Extension' Ransomware attack makes the targeted files easy to be identified because the '.robbinhood File Extension' Ransomware renames them with the string 'Encrypted_.enc_robbinhoo,' which will often include a long string of random characters. Victims of the '.robbinhood File Extension' Ransomware attack are directed to a ransom note contained in three files named '-Decryption_ReadMe.htm,' _Help_Important.html' and '_Decrypt_Files.html.' These files ask the victims to connect to a website using TOR, where the following message is displayed:

'What happened to your files?
All your files are encrypted with RSA-4096, Read more on [link to an article on Wikipedia]
RSA is an algorithm used by modern computers to encrypt and decrypt data. RSA is an asymmetric cryptographic algorithm. Asymmetric means that there are two different keys. This is also called public key cryptography because it can be given to anyone:
1-We encrypted your files with our “Public key”
2-You can decrypt the encrypted files with a specific “Private key” and your private key is in our hands ( It's not possible to recover your files without our private key )'

The message then asks for a ransom payment of several thousand US dollars, including a much larger payment for infected networks.

Protecting Your PC and Data from Threats Like the '.robbinhood File Extension' Ransomware

The best protection against threats like the '.robbinhood File Extension' Ransomware is to have file backups stored on the cloud or external services. Malware specialists advise computer users to use a security program that is fully up to date to prevent threats like the '.robbinhood File Extension' Ransomware from being installed, apart from file backups, and remove them once they have carried their attacks. Unfortunately, as soon as the '.robbinhood File Extension' Ransomware finishes encrypting the files, they cannot be decrypted and should, instead, be replaced from the backup copies.