Blog

Robbinhood Ransomware Gang Still Operational

June 14, 2022Threat Intelligence Brief

Robbinhood Ransomware Gang

Robbinhood History

One of the most notorious ransomware gangs from 2019 and 2020 is known as Robbinhood (with 2 B’s). They made a name for themselves by hacking the City of Greenville, NC and the City of Baltimore, MD, causing operational delays and millions of dollars in losses. Since the spring of 2020, there have been almost zero mentions of the group in the cybersecurity community, possibly indicating that the group had gone dark.

Expected Threat Actor

PacketWatch recently responded to an incident where the client’s computers were encrypted with what appeared to be Robbinhood ransomware. After our investigation, PacketWatch can say with a high degree of confidence that Robbinhood was the threat actor behind the ransomware attack. The tactics, techniques, and procedures (TTPs) the group used throughout the attack are almost identical to those that were documented in attacks three years ago.

Just like documented infections in 2019 and 2020, Robbinhood drops a group of files that perform various tasks of the attack chain:

  • Blackhole.exe
  • steel.exe
  • Runtime_Service.exe
  • robnr.exe
  • BlackholeCleaner.exe
  • NewBoss4.exe
  • Winlogon.exe

Initial Infection & Privilege Escalation

Blackhole.exe is the initial dropper file, which copies the rest of the above-mentioned files to the hard drive1. Blackhole.exe then executes steel.exe. This file can disable processes such as antivirus or antimalware2. To gain access necessary to complete this task, it deploys another executable robnr.exe, which in turn drops gdrv.sys, a legitimate and digitally signed kernel driver from Gigabyte. This specific kernel driver is vulnerable to CVE-2018-19320, which allows the attacker to take complete control of the system.
Windows Temp
Figure 1: Malicious executables in Windows directory
Gigabyte Driver
Figure 2: Vulnerable Gigabyte driver installed as a service

Second Malicious Kernel-space Driver

With this level of control over the system, a second, malicious kernel-space driver rbnl.sys is run that can delete locked files and can kill processes.

Kernel Driver
Figure 3: Malicious kernel driver installed as a service

Lateral Movement

Like many other threat actors today, Robbinhood abuses AnyDesk (a legitimate IT tool for remote access) to move laterally between systems.
Program Data
Figure 4: Evidence of AnyDesk used for lateral movement

Ransomware Execution

The ransomware executable is also dropped in C:\Windows\Temp by newboss4.exe and is named winlogon.exe3. The threat actor added this to a service titled WinNTRPC64.
New Boss
Figure 5: NewBoss4 executable in Windows update directory
Ransomware
Figure 6: Ransomware executable installed as a service

Ransomware Note

The ransom note has not deviated much from its original form. It continues to use poor English and includes taunts to the victim, such as “Just pay the ransomware and end the suffering then get better cybersecurity.” It also references previous known attacks from the group (Baltimore and Greenville cities).
Ransom Note

Figure 7: Ransom note

Cleanup

Robbinhood does a thorough job of clearing its tracks and removing event logs. To do this, it leverages blackholecleaner.exe.

Black Hole Cleaner

Figure 8: BlackHoleCleaner executable process

How to protect your organization

There are several steps organizations can take to help protect against Robbinhood and other forms of ransomware:

  1. Deploy Endpoint Detection and Response (EDR) across endpoints and servers
    • Many solutions have detection and prevention capabilities that will stop ransomware in its tracks
  2. Monitor network traffic for suspicious activity
    • Solutions such as PacketWatch provide full visibility into network traffic, allowing for the detection of anomalous and malicious traffic
  3. Implement and maintain data backups
    • Back up data regularly to offline/off-site storage
    • Test these backups regularly
  4. Implement multi-factor authentication (MFA) across the environment
  5. Regularly patch software and operating systems to the latest available versions
  6. Limit port and service exposure to the internet to reduce the attack surface

Contact Us for more information on how to protect your organization from ransomware threats like Robbinhood.