Robbinhood Ransomware Gang Still Operational
One of the most notorious ransomware gangs from 2019 and 2020 is known as Robbinhood (with 2 B’s). They made a name for themselves by hacking the City of Greenville, NC and the City of Baltimore, MD, causing operational delays and millions of dollars in losses. Since the spring of 2020, there have been almost zero mentions of the group in the cybersecurity community, possibly indicating that the group had gone dark.
Expected Threat Actor
PacketWatch recently responded to an incident where the client’s computers were encrypted with what appeared to be Robbinhood ransomware. After our investigation, PacketWatch can say with a high degree of confidence that Robbinhood was the threat actor behind the ransomware attack. The tactics, techniques, and procedures (TTPs) the group used throughout the attack are almost identical to those that were documented in attacks three years ago.
Just like documented infections in 2019 and 2020, Robbinhood drops a group of files that perform various tasks of the attack chain:
Initial Infection & Privilege Escalation
Second Malicious Kernel-space Driver
With this level of control over the system, a second, malicious kernel-space driver rbnl.sys is run that can delete locked files and can kill processes.
Figure 7: Ransom note
Robbinhood does a thorough job of clearing its tracks and removing event logs. To do this, it leverages blackholecleaner.exe.
Figure 8: BlackHoleCleaner executable process
How to protect your organization
- Deploy Endpoint Detection and Response (EDR) across endpoints and servers
- Many solutions have detection and prevention capabilities that will stop ransomware in its tracks
- Monitor network traffic for suspicious activity
- Solutions such as PacketWatch provide full visibility into network traffic, allowing for the detection of anomalous and malicious traffic
- Implement and maintain data backups
- Back up data regularly to offline/off-site storage
- Test these backups regularly
- Implement multi-factor authentication (MFA) across the environment
- Regularly patch software and operating systems to the latest available versions
- Limit port and service exposure to the internet to reduce the attack surface
Contact Us for more information on how to protect your organization from ransomware threats like Robbinhood.