S0400 RobbinHood
RobbinHood is ransomware that was first observed being used in an attack against the Baltimore city government’s computer network.12
| Item | Value |
|---|---|
| ID | S0400 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 29 July 2019 |
| Last Modified | 30 March 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | RobbinHood uses cmd.exe on the victim’s computer.1 |
| enterprise | T1486 | Data Encrypted for Impact | RobbinHood will search for an RSA encryption key and then perform its encryption process on the system files.1 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | RobbinHood will search for Windows services that are associated with antivirus software on the system and kill the process.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.005 | Network Share Connection Removal | RobbinHood disconnects all network shares from the computer with the command net use * /DELETE /Y.1 |
| enterprise | T1490 | Inhibit System Recovery | RobbinHood deletes shadow copies to ensure that all the data cannot be restored easily.1 |
| enterprise | T1489 | Service Stop | RobbinHood stops 181 Windows services on the system before beginning the encryption process.1 |
References
-
Lee, S. (2019, May 17). CB TAU Threat Intelligence Notification: RobbinHood Ransomware Stops 181 Windows Services Before Encryption. Retrieved July 29, 2019. ↩↩↩↩↩↩↩
-
Duncan, I., Campbell, C. (2019, May 7). Baltimore city government computer network hit by ransomware attack. Retrieved July 29, 2019. ↩