Ransom.RobbinHood

Short bio

Ransom.RobbinHood is Malwarebytes’ detection name or a type of ransomware that is used in targeted attacks against enterprises and organizations.

robbinhood ransom note

Ransom.RobbinHood ransom note

Type and source of infection

Ransomware is a category of malware that holds files or systems hostage for ransom. When encrypting files, an AES key is created for each file. The ransomware will then encrypt the AES key and the original filename with the public RSA encryption key and append it to the encrypted file.
Ransom.RobbinHood is used in targeted attacks, where the threat actors make sure that essential files are encrypted so they can ask for large ransom amounts. Ransom.RobbinHood has been know to use a digitally signed driver and exploit a vulnerability in this legitimate driver to gain kernel access.

Aftermath

Because of the targeted nature of this ransomware, it is advised to do a full network scan to find any backdoors or other tools that the threat actors may have left behind, and which may enable them to regain access to the network.

Protection

Malwarebytes protects business and home users from Ransom.RobbinHood by using Anti-Ransomware technology and real-time protection.

realtime protevtion

Malwarebytes Real-time protection blocks Ransom.RobbinHood

ARW detection

Malwarebytes Anti-Ransomware recognizes and stops ransomware behavior.

Remediation

All component/technology detections are passed to the remediation engine for complete removal from infected systems. This industry leading technology uses patented techniques in identifying all cohorts or associated files for a single threat and removes them all together to prevent malware from resuscitating itself. If you are using Malwarebytes Ransomware Rollback technology, it allows you to wind
back the clock to negate the impact of ransomware by leveraging just-in-time backups.

IOCs

Files SHA256 hashes:

  • 791c32a95f401f7464214960e49e716656f6fd6fff135ac2a6ba607236d3346e
  • 99c3cc348f8ee4e87bce45b1dd185d31830c370ac43fd3e39ac50340f029ef79
  • e9188ace227b00cbf1f6fba3ceb32af8e4d456c3a0815300a224a9d9e00778a8
  • 47d892da6a49b02a2904bdc0d03ecef66c076481d19ab19251d86d11be494765

Encrypted files are stored with the extension enc_robbinhood

 

Related blog content

The real problem with ransomware

How to protect your business from ransomware

Select your language