Skip to content

S0400 RobbinHood

RobbinHood is ransomware that was first observed being used in an attack against the Baltimore city government’s computer network.12

Item Value
ID S0400
Associated Names
Version 1.1
Created 29 July 2019
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell RobbinHood uses cmd.exe on the victim’s computer.1
enterprise T1486 Data Encrypted for Impact RobbinHood will search for an RSA encryption key and then perform its encryption process on the system files.1
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools RobbinHood will search for Windows services that are associated with antivirus software on the system and kill the process.1
enterprise T1070 Indicator Removal -
enterprise T1070.005 Network Share Connection Removal RobbinHood disconnects all network shares from the computer with the command net use * /DELETE /Y.1
enterprise T1490 Inhibit System Recovery RobbinHood deletes shadow copies to ensure that all the data cannot be restored easily.1
enterprise T1489 Service Stop RobbinHood stops 181 Windows services on the system before beginning the encryption process.1