RobinHood Ransomware Description
The RobinHood Ransomware (RobbinHood Ransomware or RobbinHood File Extension Ransomware) is a ransomware Trojan that is used to harass computer users under the pretext of raising awareness and funds for the people of Yemen. In fact, there is no evidence to support the theory that the creators of the RobinHood Ransomware have altruistic motives. It is likelier that the con artists are using the RobinHood Ransomware to profit in the same way that the creators of most encryption ransomware Trojans act today. However, the ransom demand in the case of the RobinHood Ransomware is extremely elevated, making it very unlikely that any individual PC users will pay the RobinHood Ransomware ransom in case of an attack. Take preventive measures against ransomware Trojans like the RobinHood Ransomware, which are becoming common increasingly.
Yemen Got a RobinHood Too
It is very little that's different about the RobinHood Ransomware infection. The RobinHood Ransomware is nearly identical to most other encryption ransomware Trojans; the RobinHood Ransomware will encrypt the victim's files and then demand a ransom payment in exchange for the decryption key necessary to recover the affected files. The RobinHood Ransomware includes messages claiming to serve the people of Yemen, referencing the killing of innocent people in Yemen by Saudi Arabia. There are many ways in which the RobinHood Ransomware can be installed on victim's computers. The most common distribution method linked to the RobinHood Ransomware are corrupted websites and links, often distributed using spam email messages or tactics on social media. The RobinHood Ransomware includes a propaganda image rather than a standard ransom note, changing the victim's desktop image to reflect its aims of supposedly raising money for the people of Yemen. The RobinHood Ransomware will encrypt numerous files, especially targeting media files, photos, and documents associated with Microsoft Office. The RobinHood Ransomware's desktop image reads 'HELP YEMEN' and includes a message instructing victims to take several steps to recover. The RobinHood Ransomware also will drop a text file on the infected computer's desktop. This file, named 'READ_IT.txt' contains the following ransom note, which is displayed on the infected computer:
Bin Salman of Saudi Arabia is Killing poor and innocent people of Yemen by bombing , creating famine and disease!
You as a Saudian or a Supporter of their activities, are partner of his homicide. So you have been subjected to a ransomware attack and must accept one of the following:
a) Giving up all your information
b) Pay five Bitcoins to help Yemeni people.
bitcoin address = 1ENn1BelaKXBotiGuAFE1Yrin3e3vBjUAQH
and send transaction link to: firstname.lastname@example.org
c) Use Tweeter to condemn Bin Selman for his crimes and ask him to stop the war against Yemen and make 100 users to retweet.'
The figure of five Bitcoin demanded by the RobinHood Ransomware is currently close to $14000 USD, making it very unlikely that regular computer users will pay the ransom amount to recover their files. Additionally, there is no evidence that the con artists will use these ransom amounts to help the people of Yemen. In fact, PC security analysts have dealt with 'altruistic' ransomware before, which make similar claims that the ransom amount will be used for charity or for a noble goal, when in fact there is no difference between the RobinHood Ransomware and other ransomware attacks.
Dealing with the RobinHood Ransomware Infection
The best way to deal with the RobinHood Ransomware and similar infections is to remove the RobinHood Ransomware threat completely with the help of a security program and then recover the files affected in the attack using file backups. Positively, file backups are the best protection against ransomware Trojans like the RobinHood Ransomware. PC security analysts strongly advise computer users to keep the copies of their files updated regularly on a mobile memory artifact or the cloud. Having access to backups undoes the con artists' strategy, giving computer users a way to recover their files after an attack.
RobinHood Targets Each System Individually
Malware researchers have managed to reverse engineer one of the scarcely available samples of RobinHood ransomware, and their analysis has revealed some interesting features. Upon execution, the malware uses a specific command to disconnect all network shares from the infected computer, meaning that other computers from the same network are not encrypted via connected shares. Rather, RobinHood targets each machine individually, which indicates that the attackers push the malicious payload to each individual computer through a domain controller or a framework like EmpirePowerShell or PSExec. Then, the malware attempts to read an RSA encryption key from the Windows Temporary folder. If it is unable to find such key, RobinHood displays a message that the system cannot find the specified file and then quits its execution. If the searched key is present, however, the ransomware continues with the file encryption. As a next step, the malware quits 181 Windows services related to database, antivirus, and mail server programs, as well as to any other software that could keep files open and prevent their encryption. Next, during this preparation phase, RobinHood clears event logs, Shadow Volume Copies and disables the Windows automatic repair function.
RobinHood Creates Four Ransom Notes
After everything is ready, RobinHood starts the actual encryption, creating an AES key for each file. Then, the AES key is locked up, while the original file name is encrypted with the public RSA key and altered to “Encrypted_[randomstring].enc_robbinhood” (for example: Encrypted_b0a6c73e3e434b63.enc_robinhood“). This ransomware skips files in certain directories, like Program Data, Windows, Boot, Temp, Program Files, tmp, AppData, System Volume Information, and others. Another uncommon feature of RobinHood is that it creates numerous log files named “rf_s,” “ ro_l,” and “ro_s” in the C:\Windows\Temp folder, which are deleted after encryption is complete. The “rf_s” file logs the creation of ransom notes in each folder, however, the purpose of the other log files is not known yet. In some cases, a final message “Done, Enjoy buddy:)))” appears to indicate that encryption has been completed.
During the encryption process, the ransomware creates four different ransom notes named “_Help_Help_Help.html,” ” _Decrypt_Files.html,” “ _Help_Important.html,” and “_Decryption_ReadMe.html.” These ransom notes inform the victim about what has happened to their files and state the Bitcoin address that should be used to make the ransom payment. The latest variants of RobinHood demand 3 Bitcoin for the decryption of one affected system, and 13 Bitcoin for the entire network. Some of the older variants demanded 7 Bitcoin for all affected systems. There are also reports which claim that some RobinHood samples threaten to impose a $10,000 penalty per day to victims who do not pay, starting from the fourth day of encryption. Another interesting detail that is not observed in many ransomware threats out there is a surprising claim made by its creators. They state they value the victim’s privacy and would delete all data related to a particular user, like IP addresses or encryption keys, as soon as the ransom payment has been made. Also, RobinHood’s contact page says that ransom payments cannot be tracked as an individual Bitcoin address is set up freshly for each victim. The attackers insist on honesty as well - they offer to decrypt three files of up to 10 MB for free.
Significant Attacks of RobinHood Ransomware
One of the known major attacks of RobinHood happened on May 7, 2019, when Baltimore’s city government got paralyzed for weeks. News agencies reported at that time that the servers of the city’s administration had been breached by a hacking tool developed by the National Security Agency which had landed in the hands of cybercriminals. Later, it was confirmed that the incident was caused by RobinHood Ransomware. As a result of the attack, the city’s entire digital content had been locked so that the government emails were down, no real estate transactions could be processed, and no payments to city departments could be made online. Baltimore City Mayor stated that the city would not pay the demanded ransom of 13 Bitcoin (equal to $100,000), while the FBI and the Secret Service started an investigation. Another RobinHood attack affected the network of the City of Greenwell, North Carolina in April 2019. Responsible law authorities and cybersecurity experts are currently working on that case as well.
File System Details
|#||File Name||Size||MD5||Detection Count|
This article is provided "as is" and to be used for educational information purposes only. By following any instructions on this article, you agree to be bound by the disclaimer. We make no guarantees that this article will help you completely remove the malware threats on your computer. Spyware changes regularly; therefore, it is difficult to fully clean an infected machine through manual means.