RobinHood Ransomware

RobinHood Ransomware Description

The RobinHood Ransomware (RobbinHood Ransomware or RobbinHood File Extension Ransomware) is a ransomware Trojan that is used to harass computer users under the pretext of raising awareness and funds for the people of Yemen. In fact, there is no evidence to support the theory that the creators of the RobinHood Ransomware have altruistic motives. It is likelier that the con artists are using the RobinHood Ransomware to profit in the same way that the creators of most encryption ransomware Trojans act today. However, the ransom demand in the case of the RobinHood Ransomware is extremely elevated, making it very unlikely that any individual PC users will pay the RobinHood Ransomware ransom in case of an attack. Take preventive measures against ransomware Trojans like the RobinHood Ransomware, which are becoming common increasingly.

Yemen Got a RobinHood Too

It is very little that's different about the RobinHood Ransomware infection. The RobinHood Ransomware is nearly identical to most other encryption ransomware Trojans; the RobinHood Ransomware will encrypt the victim's files and then demand a ransom payment in exchange for the decryption key necessary to recover the affected files. The RobinHood Ransomware includes messages claiming to serve the people of Yemen, referencing the killing of innocent people in Yemen by Saudi Arabia. There are many ways in which the RobinHood Ransomware can be installed on victim's computers. The most common distribution method linked to the RobinHood Ransomware are corrupted websites and links, often distributed using spam email messages or tactics on social media. The RobinHood Ransomware includes a propaganda image rather than a standard ransom note, changing the victim's desktop image to reflect its aims of supposedly raising money for the people of Yemen. The RobinHood Ransomware will encrypt numerous files, especially targeting media files, photos, and documents associated with Microsoft Office. The RobinHood Ransomware's desktop image reads 'HELP YEMEN' and includes a message instructing victims to take several steps to recover. The RobinHood Ransomware also will drop a text file on the infected computer's desktop. This file, named 'READ_IT.txt' contains the following ransom note, which is displayed on the infected computer:

Bin Salman of Saudi Arabia is Killing poor and innocent people of Yemen by bombing , creating famine and disease!
You as a Saudian or a Supporter of their activities, are partner of his homicide. So you have been subjected to a ransomware attack and must accept one of the following:
a) Giving up all your information
b) Pay five Bitcoins to help Yemeni people.
bitcoin address = 1ENn1BelaKXBotiGuAFE1Yrin3e3vBjUAQH
and send transaction link to:
c) Use Tweeter to condemn Bin Selman for his crimes and ask him to stop the war against Yemen and make 100 users to retweet.'

The figure of five Bitcoin demanded by the RobinHood Ransomware is currently close to $14000 USD, making it very unlikely that regular computer users will pay the ransom amount to recover their files. Additionally, there is no evidence that the con artists will use these ransom amounts to help the people of Yemen. In fact, PC security analysts have dealt with 'altruistic' ransomware before, which make similar claims that the ransom amount will be used for charity or for a noble goal, when in fact there is no difference between the RobinHood Ransomware and other ransomware attacks.

Dealing with the RobinHood Ransomware Infection

The best way to deal with the RobinHood Ransomware and similar infections is to remove the RobinHood Ransomware threat completely with the help of a security program and then recover the files affected in the attack using file backups. Positively, file backups are the best protection against ransomware Trojans like the RobinHood Ransomware. PC security analysts strongly advise computer users to keep the copies of their files updated regularly on a mobile memory artifact or the cloud. Having access to backups undoes the con artists' strategy, giving computer users a way to recover their files after an attack.

RobinHood Targets Each System Individually

Malware researchers have managed to reverse engineer one of the scarcely available samples of RobinHood ransomware, and their analysis has revealed some interesting features. Upon execution, the malware uses a specific command to disconnect all network shares from the infected computer, meaning that other computers from the same network are not encrypted via connected shares. Rather, RobinHood targets each machine individually, which indicates that the attackers push the malicious payload to each individual computer through a domain controller or a framework like EmpirePowerShell or PSExec. Then, the malware attempts to read an RSA encryption key from the Windows Temporary folder. If it is unable to find such key, RobinHood displays a message that the system cannot find the specified file and then quits its execution. If the searched key is present, however, the ransomware continues with the file encryption. As a next step, the malware quits 181 Windows services related to database, antivirus, and mail server programs, as well as to any other software that could keep files open and prevent their encryption. Next, during this preparation phase, RobinHood clears event logs, Shadow Volume Copies and disables the Windows automatic repair function.

RobinHood Creates Four Ransom Notes

After everything is ready, RobinHood starts the actual encryption, creating an AES key for each file. Then, the AES key is locked up, while the original file name is encrypted with the public RSA key and altered to “Encrypted_[randomstring].enc_robbinhood” (for example: Encrypted_b0a6c73e3e434b63.enc_robinhood“). This ransomware skips files in certain directories, like Program Data, Windows, Boot, Temp, Program Files, tmp, AppData, System Volume Information, and others. Another uncommon feature of RobinHood is that it creates numerous log files named “rf_s,” “ ro_l,” and “ro_s” in the C:\Windows\Temp folder, which are deleted after encryption is complete. The “rf_s” file logs the creation of ransom notes in each folder, however, the purpose of the other log files is not known yet. In some cases, a final message “Done, Enjoy buddy:)))” appears to indicate that encryption has been completed.

robinhood ransomware note image

During the encryption process, the ransomware creates four different ransom notes named “_Help_Help_Help.html,” ” _Decrypt_Files.html,” “ _Help_Important.html,” and “_Decryption_ReadMe.html.” These ransom notes inform the victim about what has happened to their files and state the Bitcoin address that should be used to make the ransom payment. The latest variants of RobinHood demand 3 Bitcoin for the decryption of one affected system, and 13 Bitcoin for the entire network. Some of the older variants demanded 7 Bitcoin for all affected systems. There are also reports which claim that some RobinHood samples threaten to impose a $10,000 penalty per day to victims who do not pay, starting from the fourth day of encryption. Another interesting detail that is not observed in many ransomware threats out there is a surprising claim made by its creators. They state they value the victim’s privacy and would delete all data related to a particular user, like IP addresses or encryption keys, as soon as the ransom payment has been made. Also, RobinHood’s contact page says that ransom payments cannot be tracked as an individual Bitcoin address is set up freshly for each victim. The attackers insist on honesty as well - they offer to decrypt three files of up to 10 MB for free.

Robinhood ransomware ransom lock note

Significant Attacks of RobinHood Ransomware

One of the known major attacks of RobinHood happened on May 7, 2019, when Baltimore’s city government got paralyzed for weeks. News agencies reported at that time that the servers of the city’s administration had been breached by a hacking tool developed by the National Security Agency which had landed in the hands of cybercriminals. Later, it was confirmed that the incident was caused by RobinHood Ransomware. As a result of the attack, the city’s entire digital content had been locked so that the government emails were down, no real estate transactions could be processed, and no payments to city departments could be made online. Baltimore City Mayor stated that the city would not pay the demanded ransom of 13 Bitcoin (equal to $100,000), while the FBI and the Secret Service started an investigation. Another RobinHood attack affected the network of the City of Greenwell, North Carolina in April 2019. Responsible law authorities and cybersecurity experts are currently working on that case as well.

Do You Suspect Your PC May Be Infected with RobinHood Ransomware & Other Threats? Scan Your PC with SpyHunter

SpyHunter is a powerful malware remediation and protection tool designed to help provide PC users with in-depth system security analysis, detection and removal of a wide range of threats like RobinHood Ransomware as well as a one-on-one tech support service. Download SpyHunter's FREE Malware Remover
Note: SpyHunter's scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware removal tool to remove the malware threats. Read more on SpyHunter. Free Remover allows you to run a one-off scan and receive, subject to a 48-hour waiting period, one remediation and removal. Free Remover subject to promotional details and Special Promotion Terms. To understand our policies, please also review our EULA, Privacy Policy and Threat Assessment Criteria. If you no longer wish to have SpyHunter installed on your computer, follow these steps to uninstall SpyHunter.

Security Doesn't Let You Download SpyHunter or Access the Internet?

Solutions: Your computer may have malware hiding in memory that prevents any program, including SpyHunter, from executing on your computer. Follow to download SpyHunter and gain access to the Internet:
  • Use an alternative browser. Malware may disable your browser. If you're using IE, for example, and having problems downloading SpyHunter, you should open Firefox, Chrome or Safari browser instead.
  • Use a removable media. Download SpyHunter on another clean computer, burn it to a USB flash drive, DVD/CD, or any preferred removable media, then install it on your infected computer and run SpyHunter's malware scanner.
  • Start Windows in Safe Mode. If you can not access your Window's desktop, reboot your computer in "Safe Mode with Networking" and install SpyHunter in Safe Mode.
  • IE Users: Disable proxy server for Internet Explorer to browse the web with Internet Explorer or update your anti-spyware program. Malware modifies your Windows settings to use a proxy server to prevent you from browsing the web with IE.
If you still can't install SpyHunter? View other possible causes of installation issues.

Related Posts

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.