Robbinhood Ransomware Gang Still Operational

Robbinhood Ransomware Gang Still Operational


Robbinhood Ransomware Gang Still Operational

Robbinhood Ransomware Gang

Robbinhood History

One of the most notorious ransomware gangs from 2019 and 2020 is known as Robbinhood (with 2 B’s). They made a name for themselves by hacking the City of Greenville, NC and the City of Baltimore, MD, causing operational delays and millions of dollars in losses. Since the spring of 2020, there have been almost zero mentions of the group in the cybersecurity community, possibly indicating that the group had gone dark.

Expected Threat Actor

PacketWatch recently responded to an incident where the client’s computers were encrypted with what appeared to be Robbinhood ransomware. After our investigation, PacketWatch can say with a high degree of confidence that Robbinhood was the threat actor behind the ransomware attack. The tactics, techniques, and procedures (TTPs) the group used throughout the attack are almost identical to those that were documented in attacks three years ago.

Just like documented infections in 2019 and 2020, Robbinhood drops a group of files that perform various tasks of the attack chain:

  • Blackhole.exe
  • steel.exe
  • Runtime_Service.exe
  • robnr.exe
  • BlackholeCleaner.exe
  • NewBoss4.exe
  • Winlogon.exe

Initial Infection & Privilege Escalation

Blackhole.exe is the initial dropper file, which copies the rest of the above-mentioned files to the hard drive1. Blackhole.exe then executes steel.exe. This file can disable processes such as antivirus or antimalware2. To gain access necessary to complete this task, it deploys another executable robnr.exe, which in turn drops gdrv.sys, a legitimate and digitally signed kernel driver from Gigabyte. This specific kernel driver is vulnerable to CVE-2018-19320, which allows the attacker to take complete control of the system.
Windows Temp
Figure 1: Malicious executables in Windows directory
Gigabyte Driver
Figure 2: Vulnerable Gigabyte driver installed as a service

Second Malicious Kernel-space Driver

With this level of control over the system, a second, malicious kernel-space driver rbnl.sys is run that can delete locked files and can kill processes.

Kernel Driver
Figure 3: Malicious kernel driver installed as a service

Lateral Movement

Like many other threat actors today, Robbinhood abuses AnyDesk (a legitimate IT tool for remote access) to move laterally between systems.
Program Data
Figure 4: Evidence of AnyDesk used for lateral movement

Ransomware Execution

The ransomware executable is also dropped in C:\Windows\Temp by newboss4.exe and is named winlogon.exe3. The threat actor added this to a service titled WinNTRPC64.
New Boss
Figure 5: NewBoss4 executable in Windows update directory
Figure 6: Ransomware executable installed as a service

Ransomware Note

The ransom note has not deviated much from its original form. It continues to use poor English and includes taunts to the victim, such as “Just pay the ransomware and end the suffering then get better cybersecurity.” It also references previous known attacks from the group (Baltimore and Greenville cities).
Ransom Note

Figure 7: Ransom note


Robbinhood does a thorough job of clearing its tracks and removing event logs. To do this, it leverages blackholecleaner.exe.

Black Hole Cleaner

Figure 8: BlackHoleCleaner executable process

How to protect your organization

There are several steps organizations can take to help protect against Robbinhood and other forms of ransomware:

  1. Deploy Endpoint Detection and Response (EDR) across endpoints and servers
    • Many solutions have detection and prevention capabilities that will stop ransomware in its tracks
  2. Monitor network traffic for suspicious activity
    • Solutions such as PacketWatch provide full visibility into network traffic, allowing for the detection of anomalous and malicious traffic
  3. Implement and maintain data backups
    • Back up data regularly to offline/off-site storage
    • Test these backups regularly
  4. Implement multi-factor authentication (MFA) across the environment
  5. Regularly patch software and operating systems to the latest available versions
  6. Limit port and service exposure to the internet to reduce the attack surface

Contact Us for more information on how to protect your organization from ransomware threats like Robbinhood.


Lessons Learned from #ContiLeaks

Lessons Learned from #ContiLeaks

Blog | Cyber Threat Intel

Lessons Learned from #ContiLeaks

#ContiLeaks Lessons Learned

ContiLeaks Background

Over the last week, InfoSec Twitter has been set ablaze with #ContiLeaks. An individual, likely of Ukrainian origin or a sympathizer, was outraged by a post from Conti leadership declaring solidarity with Russia. The leaks started with Jabber discussions, a screenshot, and source code dumps. The individual behind the @ContiLeaks twitter account tweeted “Glory for Ukraine!” after four tweets containing the leaks.
These leaks give Cyber Security professionals around the world and specifically Cyber Threat Intel (CTI) analysts insight into the inner workings of the top Ransomware-as-a-Service (RaaS) operator.  Our CTI practice has been combing through the data looking for Indicators of Compromise (IOCs) and Indicators of Attack (IOAs) that would support our Managed Detection and Response (MDR) analysts as they hunt in our customer networks.  Here are the main lessons our CTI practice has learned over the last several days:
  • Conti operations were run very similar to a mature Small Business Start-Up.
  • The hacking techniques, employed by affiliates or “Pentesters”, are not novel.
  • Conti has good software development practices and leverages the latest software development capabilities. Conti’s intellectual property is their software.

Conti Operations

Contrary to the common belief that RaaS gangs are just a bunch of hackers in hoodies, Conti shows the reality that if you are going to participate in this space and be on top, you must have good business operations. The #ContiLeaks have showed us that Conti had a typical business structure. They were made up of roughly 70 employees which included the following departments: Human Resources, Leadership and Management, Research and Development, Reverse Engineers, 3rd Party Contractors, and Penetration Testers. It might surprise some to learn that Conti had proposal requests, a procurement process, and budgetary requirements. When one of the Penetration Testers needed a licensed piece of software, they submitted their request to a Technical Lead. This was then followed by Management with approvals and directions on where the money (cryptocurrency) would be transferred for purchasing. This process was the same for when Research and Development wanted to purchase enterprise security software and hardware for testing their software’s ability to go undetected or for bypassing these security tools.

Conti Hacking Techniques

A lot was already known about the Conti tools, techniques, and procedures (TTPs) however, with the #ContiLeaks more details have emerged that confirmed initial suspicions and information highlighted by researchers such as the DFIR report. This includes how Conti conducted reconnaissance, gained initial access, moved laterally in networks, persisted, and ultimately reached their goal of exfiltration and encrypting their target’s workstations and servers. Much of what was in Conti’s arsenal of tooling came from free and open-source software (FOSS), legitimate versions of Cobalt Strike, Proof of Concept (POC) code for known vulnerabilities found on GitHub, and other community-driven penetration testing projects and scripts; many of which are used by Ethical Penetration Testing practices today. Custom tooling from the group consisted mostly of automation scripts (batch files, obfuscated PowerShell), custom dynamic link libraries (DLLs), portable executables (PEs), and other executables (EXEs) including the Ransomware itself.

Conti Software

It is in this area our CTI practice believes that the true capabilities of Conti reside. As with any small business start-up software company in Europe or the Americas, the employed development team followed modern day development practices. The development team leveraged the Agile method with Continuous Integration (CI) / Continuous Deployment (CD) pipelines. The chatlogs from the #ContiLeaks show they had “sprints” for different projects in development. Conti developers leveraged version control for their different code repositories through a self-hosted GitLab server running on the TOR network. When new projects were completed, fellow employees were directed to pull the latest git repo from GitLab for usage during operations. Furthermore, analysis of the leaked source code shows development by seasoned developers that knew exactly what they wanted to accomplish with their preferred languages (C++, Erlang, JavaScript, and others).

For further details and more in-depth technical information on this topic, please contact us at

Surge in Bitcoin Mining Attacks Expected

Surge in Bitcoin Mining Attacks Expected


Surge in Bitcoin Mining Attacks Expected

Surge in Bitcoin Mining Attacks Expected

History Repeats Itself

During the surge of Bitcoin prices in 2017, nefarious actors hacked everything from web servers to browsers in an attempt to mine cryptocurrency. We even saw one of our client’s network routers be co-opted as coin-miners!

We anticipate a similar surge of mining attacks in the coming weeks and months as cryptocurrency values soar once again and new varieties flood the market. For example, Bitcoin’s value has skyrocketed to almost $40,000 in recent weeks, which will undoubtedly result in an increase in coin-mining hacking attempts.

Expected Targets

Ideal targets are unpatched software systems and IoT devices.  It’s not always possible to patch older software systems and let’s face it, most organizations don’t know everything on their network. That’s where a combination of defenses can help.

Endpoint Protection

Advanced endpoint protection such as CrowdStrike Falcon is something that we use and strongly recommend. Having such Endpoint Detection & Response (EDR) capabilities on your hosts is becoming an absolute “must” in this day and age of memory-resident file-less and polymorphic malware. Unlike traditional anti-virus that relies on matching signatures of known malware, EDR monitors file activity, processes, and communications on a host to detect known and unknown threats and will automatically block suspicious activity in real-time.

Network Protection

Unfortunately, not every endpoint can have EDR installed, such as printers, IoT, and other network-connected devices, and that’s where network monitoring becomes a key companion capability. PacketWatch monitors and records all network traffic and can spot the telltale signs of coin-mining activity, even on those devices that cannot be protected by EDR.

Recent Incident Involving a Coin Miner

In December 2020, an enterprise-sized organization hired PacketWatch to help battle an incident that involved such a compromise. In this example, a PHP exploit was used to compromise a server and install a Bitcoin miner.

Using PacketWatch’s full packet capture to replay the coin-miner traffic, analysts were able to reverse engineer the scripts executed. As soon as the attackers compromised the Server, they also began running scripts to remove other competing coin miners that might be present in the environment, after which the script would harden the asset to prevent further intrusions. This level of visibility gave investigators a complete picture of the incident and left no questions about what had occurred and what the attackers were after. The client was able to clean the identified server and return to normal operation quickly.


Your Enemy Can Be Your Best Teacher

Your Enemy Can Be Your Best Teacher

Blog | Threat Intelligence Brief

Your Enemy Can Be Your Best Teacher



This quote attributed to the Dalai Lama inspired our analysts to take a thoughtful approach to monitoring our external nodes. We wanted to answer the question – what are the top 20 ports the top 3 cyber threat actor countries are hitting? Could the targeting from countries such as China, Russia, and Iran give us some insights into what they’re trying to exploit? So, we analyzed traffic from these countries from 1 May 2020 – 30 June 2020 and evaluated over 7 million sessions to identify the top targeted ports from each of these countries.

Key Findings

Our analysis of this data found the following trends:

  1. Russian traffic tends to focus on exploiting remote computing. Ports like 3389, and ports near it, along with VNC were heavily targeted.
  2. Chinese traffic is focused on databases and their infrastructure. MSSQL (1433) was by far and away the most targeted port, but other services include REDIS.
  3. Iranian traffic had components of both Russian and Chinese targeting, but also showed significant interest in IOT devices.


We realize that not all traffic from these countries is bad, but it is fair to acknowledge these countries do host a significant amount of cyber threats. We hope that by monitoring and observing trends from these locations, we can start to discern potential interests in targeting, as well as assess what services may be at higher risk.




During this time, we clearly see that the #1 targeted port for Russian traffic was 445. This port is notoriously associated with SMB and the EternalBlue vulnerability. Anecdotally, we consulted some pen tester, friends and discovered, EternalBlue is still quite prevalent in the wild. Research on  Shodan reveals 1.5 million hits for port 445, and that the US and Russia are the two countries showing the most occurrences of this port being open.

The next top targeted port is Telnet (23) followed by Remote Desktop Protocol (3389). However, as we look at the rest of the top 20, a clear pattern emerges. Several ports surrounding 3389 are also being targeted. Based on our findings, and our knowledge gained from our incident response practice, it appears Russian traffic may be attempting to identify cases where clever systems administrators were trying to hide RDP on non-standard ports.

However, we also see port 5900 in the top 20 as well. This port is associated with VNC (Virtual Network Computing). VNC is a well-known remote access tool, but could obviously be repurposed for malicious purposes, just like RDP.


When we first started watching Chinese traffic, we were surprised to see their interest in 1433, MSSQL. While it has always maintained the #1 spot, the percentage of total traffic it represents varies between 30-40% over recent weeks. Other database ports on here include REDIS (6378-6381), Mysql (3306), and the AFS-3 protocol (7001, 7002).

We also witnessed some of the same interests that Russian activity exhibited with targeting on ports like 445 and 3389.

Everything considered, Chinese activity for this period was largely focused on databases. When we consider the breaches that Chinese actors have been indicted for over the last several years (Equifax, OPM), we start to realize their strategic interest in big data can certainly be considered a sustained trend.


Iranian activity appeared to focus on a combination of targets we saw exhibited by Russian and Chinese activity, including 445 and 1433. Surprisingly, we noticed a newcomer to the top 10: namely, port 9530. This port is unassigned according to the Internet Assigned Numbers Authority (IANA), however open source research indicates a large amount of Chinese IOT components such Xiongmai firmware can be accessed via backdoors after hitting port 9530–this is a tactic sometimes referred to as “port knocking.”

On a weekly basis, we provide our clients with intelligence on active targeting campaigns that we observe in the wild. During the week of 29 June 2020, we noticed Iranian activity targeting ports 5977 and 4876. Port 4876 is associated with the Tritium CAN Bus Bridge Service, a component associated with vehicles, which typically requires physical access to exploit vulnerabilities.


We found this exercise to be quite eye opening. While we hypothesized that RDP would be of interest, we were surprised to see the variation in ports that Russian traffic was targeting. We also did not expect to find Iranian activity so interested in IOT devices. Chinese activity demonstrated ongoing and unwavering attention to databases that is unwavering.


About PacketWatch

We are threat hunters, investigators, intelligence analysts, and cybersecurity experts with experience in federal law enforcement, national security, and enterprise IT. Leveraging our expertise and our innovative use of technology, we help our clients find security risks that others may miss.

Please visit us at

Your Enemy Can Be Your Best Teacher

Living Off the Land (LOTL): A Case Study

Blog | Threat Intelligence Brief

Living Off the Land (LOTL): A Case Study


During a recent incident involving LockBit ransomware, we discovered a persistent credential harvester that was hidden as a scheduled task/process. We did a significant amount of investigation before unraveling the clues of what was creating alerts and attempting to beacon-out to certain IP addresses in Latvia.

During this investigation, we uncovered a heavy reliance on inherent functions built into Windows that were abused in order to masquerade as other processes, steal passwords, and exfiltrate them out of the organization.

This behavior is often referred to as “Living Off the Land.” In other words, no malware was used–just clever use of what is already available within the operating system.



Latvian Connection

The use of a Latvian VPN provider was a central part of the attacker’s infrastructure. It was also referred to throughout the scripts in decimal format. The IP address in question, 1484238829, translated to 88[.]119[.]175[.]237 when converted.



Renaming Powershell

In all cases when Powershell was being used, it was renamed to “modpro.exe.”



Picking a Name

The scripts would also create a scheduled task, and name it from one of 9 templates:



Choosing a Birthdate

The newly created tasks would also change their modified dates to be 485 days in the past. This is a process known as “time stomping” and would frustrate any attempts to look for newly created scheduled tasks.




This malware-less attack was quite sophisticated and complex to unravel. The multiple layers involved and numerous steps associated are all included in our full report. This report also includes references to the different techniques employed and the ATT&CK framework.





More Information

Please see the full report for in-depth details.


About PacketWatch

We are threat hunters, investigators, intelligence analysts, and cybersecurity experts with experience in federal law enforcement, national security, and enterprise IT. Leveraging our expertise and our innovative use of technology, we help our clients find security risks that others may miss.

Please visit us at

Your Enemy Can Be Your Best Teacher


Blog | Threat Intelligence Brief


Extensive Remote Workforce and Upcoming American Holiday Likely to Attract Significant Increase in Ransomware Attacks


Since May 4th, we have seen an eye-catching increase in cyber incidents, email compromise, and ransomware attacks.

As we approach the US Holiday, Memorial Day, we expect this increase to continue. To help improve your awareness, we offer the following trends and fairly consistent indicators pointing back to Eastern European and Russian criminal actors.


Here are some of the prevalent trends that we have seen recently:

  • Attackers are using compromised admin credentials. The credentials appear to be coming from successful phishing attacks, or brute forcing/guessing. In at least one case we worked, a laptop appeared to be infected with password-harvesting malware—when an administrator remotely logged in, the attackers were able to collect the admin credentials.
  • Organizations with open ports on 3389 and 21 seem to be especially susceptible to attack.
  • Domain controllers are being encrypted, making deployment of recovery tools difficult. We strongly recommend having good backups of domain controllers.


We are sharing the following recommendations, in order of importance, based on recent research and incidents we’ve worked throughout May:

  • Mandate multifactor authentication (MFA), wherever possible. Even if an attacker can obtain login credentials (password and user name), MFA is very effective at deterring full compromise.
  • Implement advanced endpoint protection, such as CrowdStrike. Traditional antivirus is increasingly becoming less effective (as evidenced by the AV server getting encrypted in a cited case).
  • Use complex passwords for admin accounts, especially those shared with outside vendors.

Network Monitoring 

The knowledge we gain through our Incident Response Practice, often gets “re-invested” into PacketWatch as alerts and queries watching for anomalous trends and threats.

Following is a PacketWatch graph showing activity for the past week from Russian IP addresses. This activity is collected via an externally-facing PacketWatch node not filtered by a firewall, affording us tremendous visibility into the holistic nature of internet traffic.

As you’ll notice in the following graph, Russian activity last week noticeably spiked starting around 00:30 AM HRS on Friday, May 15, and subsided the following Tuesday morning.



When we break this traffic out by Autonomous System Number (ASN), we see that two ASN’s seem to be primarily responsible for this increase in traffic. Please see the following graph.



We traditionally see a surge in cyber attacks on or around major American holidays, since attackers are keen to exploit victims they suspect may be less vigilant due to vacations, remote work, or the typical excitement and distractions that accompany holiday activities.

Lately, the surge in attack traffic appears to be focused on ports 445, 23, and 3389 (SMB, Telnet, and RDP, respectively). These ports are typical threat vectors for wormable exploits and ransomware deployment. Based on the timing in this swell of activity as well as the targeted ports, we assess with moderate to high confidence that organizations with services open and responding on these ports may face significant targeting over the coming Memorial Day weekend.

Russian Activity Over the Past Seven Days

Looking at Russian activity over the past week, we also see a fair amount of other traffic looking for interesting services such as Secure Shell (port 22, SSH) and port 5900. Port 5900 is associated with Apple’s remote network computing. Database administrators will be interested to see 1433, SQL, makes an appearance here as well.

About PacketWatch

We are threat hunters, investigators, intelligence analysts, and cybersecurity experts with experience in federal law enforcement, national security, and enterprise IT. Leveraging our expertise and our innovative use of technology, we help our clients find security risks that others may miss.

Please visit us at

Your Enemy Can Be Your Best Teacher

A Closer Look at a COVID-19 Phish

Blog | Threat Intelligence Brief

A Closer Look at a COVID-19 Phish

Fresh Catch

As cybercriminals continue to exploit the COVID-19 pandemic, we’ve been on guard keeping watch for any phish that may get caught in our nets that look particularly interesting. This week, we caught some.

This phish arrived Tuesday morning around 1044 local time for the client. This particular phish did a fine job of pretending to be a health alert from a few different organizations apparently, including:

  • Department of Health (they didn’t specify which one)
  • National Contact Center
  • National Center for Health Marketing
  • Division of eHealth Marketing
  • Centers for Disease control and Prevention

Additionally this message had a nice link in it that appeared to be leading to



 The Analysis

 However, a closer look at the source of this very simple yet alarming phish reveals something just isn’t quite right:



The text claiming to be the link to is actually a hyperlink leading to a page that redirects to an Outlook Web Access (OWA) themed phishing page.

Here’s a closer look at the coding in the email that shows a simple “a href=” is all it took for this message to weaponize the CDC’s website.




Once the user hit that link they would be redirected to a phishing page hosted at rc-hobbies[.]co[.]uk. This site had an especially interesting directory: /cdcgov/.


The OWA-themed landing page was nothing special, but given the severity of events at the moment, effective nonetheless.



Diamond Model: A Visualization of Findings

Further investigation of the attacker’s infrastructure found a number of email addresses indicating individuals associated with various financial and investment firms had been targeted by this campaign. Further digging also found a number of state, local, and federal .gov emails had all been targeted as well. The vast majority of these consisted of current and former staff with fiduciary responsibility. This diamond model helps us visualize the infrastructure, tactics, and targeting of this campaign from a broader standpoint:




This campaign, on top of our experience in some recent Business Email Compromise cases, tells us that financially motivated attackers are willing to play dirty and use the Coronavirus to target your finance personnel.

The old advice of “just don’t open attachments” doesn’t work anymore when attackers are using clever phishing pages from trusted sources with high-urgency themes.

PacketWatch has experience and capability providing security, investigations, and incident response and can help protect your organization from threats like these that abound, especially in our current environment.

About PacketWatch

We are threat hunters, investigators, intelligence analysts, and cybersecurity experts with experience in federal law enforcement, national security, and enterprise IT. Leveraging our expertise and our innovative use of technology, we help our clients find security risks that others may miss.

Please visit us at

Your Enemy Can Be Your Best Teacher

The Noise of Missing Traffic

Blog | Threat Intelligence Brief

The Noise of Missing Traffic

The World’s Most Populous Country Just Got Significantly Quieter


Key Findings

As the Coronavirus continues its march across the globe the last few weeks, it has forced countries into lockdown. Recently, our intelligence team started looking for countries that have suddenly gone silent. Our research and analysis found a major drop in traffic starting around late March. This post will share what we’ve uncovered, details in the change in traffic, as well as a few predictions about what this means for the future.


How It Started

As all research begins, this one started the same way: virtual, water cooler chitchat. A chance conversation discovered that a partner organization was concerned about their colleagues in India. That lead to a theory – what would happen if the world’s most populous country, which is also a key partner in the technology world, suddenly was hit with the nastiest virus we’ve seen in over a century? So, we ran a search in our PacketWatch systems looking for traffic coming from India. Below is a screenshot that provides a glimpse into our monitoring capability at one listening point:


Screenshot: Activity from India over the last 30 days using PacketWatch


The decrease in activity is truly startling. Let’s take a closer look to see what the exact date and time was that we see the drop in activity.

An enhanced view of that time segment shows traffic took a steep drop around 16:00 on 3/18/2020 UTC, or, around 21:30 India Standard Time Zone. (The entire country of India is on the same time zone, UTC +5:30.)


Then vs. Now

So, what changed? Here’s some analysis of the traffic before and after March 18. Because it’s been about 3 weeks since this drop occurred, we’ll evaluate the previous 3 weeks compared to the 3 weeks since.

Number of sessions for top 5 IP addresses and top 5 destination ports:

Note: port 0 activity indicates probable ping sweeping.

Number of sessions for top 5 IP addresses and top 5 destination ports:




It’s worth pointing out that while overall traffic was down almost 70%, certain ports actually showed an increase in traffic during this time period.



The sessions from the top 5 IP’s dropped by about 84%, and sessions for the top 5 targeted ports dropped by about 70%. Overall, we’ve noticed a total drop in traffic of about 70%.

We also find it interesting that India’s Prime Minister Modi did not declare a lockdown until March 24, almost a week after the drop in activity was detected. However, the top 5 IPs continued to be Amazon AWS from Mumbai.


What does this mean for you?

If India is a key part of your operations, this could be indicative of significant disruption coming in the future, if not here already.

Our incident response experience has also taught us another key lesson that is worth bringing up right now: bad guys love unpatched systems. As India goes into lockdown, we assess with moderate to high confidence that a significant number of information systems may not be receiving critical updates and patches against security vulnerabilities during this time. We expect to see these unpatched systems exploited by attackers in the coming weeks and months as organizations scramble to play catch up with missing updates.

Given the sheer volume of systems that are undoubtedly going to need updating and the disruption this is causing, things will likely be missed, therefore alternative strategies need to be considered.

About PacketWatch

We are threat hunters, investigators, intelligence analysts, and cybersecurity experts with experience in federal law enforcement, national security, and enterprise IT. Leveraging our expertise and our innovative use of technology, we help our clients find security risks that others may miss.

Please visit us at