The National Capitol Region Threat Intelligence Consortium Cyber Center assesses with moderate confidence that a new ransomware campaign, dubbed RobbinHood Ransomware, is actively targeting government networks within the United States. Ransomware is a type of cyber extortion scheme in which malicious software is used to restrict victims’ access to computer systems, networks, or files until a demand is met, usually in the form of a monetary payment to the attacker.
First discovered in April 2019, RobbinHood Ransomware targets entire networks and attempts to encrypt files on as many computers on the infected networks as possible. The distribution method used to infect systems is currently unknown; however, open source reports suggest that the threat actors behind the campaign may be compromising remote desktop services or using Trojans to deliver the ransomware variant.1
Upon execution, RobbinHood Ransomware issues the command cmd.exe /c sc.exe stop AVP /y to stop 181 Windows services associated with antivirus software, databases, mail servers, and other software that would prevent the encryption of associated files. It also disconnects all network shares from infected systems using the command cmd.exe /c net use * /DELETE /Y. Security researchers have determined that other machines on the network are not encrypted via connected shares, but that payloads are pushed to other machines via either a domain controller or through Empire PowerShell and PSExec. RobbinHood then creates an AES key for each impacted file, encrypts the key and original filename with a public RSA encryption key, and appends it to the encrypted file, displaying the filename in the following format: Encrypted_[randomstring].enc_robbinhood
Lastly, RobbinHood Ransomware creates several log files under the C:\Windows\Temp folder named rf_, ro_l, and ro_s and drops four ransom notes on the infected system: _Decrypt_Files.html, _Decryption_ReadMe.html, _Help_Help_Help.html, and _Help_Important.html. These notes provide victims with the ransom demand and instructions on how to submit payment to the attacker. Recent reports indicate that RobbinHood Ransomware demands a payment of 3 Bitcoin (approximately 17,000 USD) per infected system or 13 Bitcoin (approximately 75,000 USD) per network. There is currently no publicly available decryption tool available for RobbinHood Ransomware.
The NTIC Cyber Center recommends all network administrators implement a robust and comprehensive data backup process, conduct regular training and awareness exercises with all employees, and review the attached NTIC Cyber Center Ransomware Mitigation Guide for additional ransomware protection strategies. Additionally, we recommend verifying that endpoint protection platforms are proactively blocking the following SHA256 hash value associated with initial RobbinHood Ransomware campaigns: 3bc78141ff3f742c5e942993adfbef39c2127f9682a303b5e786ed7f9a8d184b