Robbinhood Ransomware Gang Still Operational

Robbinhood Ransomware Gang Still Operational


Robbinhood Ransomware Gang Still Operational

Robbinhood Ransomware Gang

Robbinhood History

One of the most notorious ransomware gangs from 2019 and 2020 is known as Robbinhood (with 2 B’s). They made a name for themselves by hacking the City of Greenville, NC and the City of Baltimore, MD, causing operational delays and millions of dollars in losses. Since the spring of 2020, there have been almost zero mentions of the group in the cybersecurity community, possibly indicating that the group had gone dark.

Expected Threat Actor

PacketWatch recently responded to an incident where the client’s computers were encrypted with what appeared to be Robbinhood ransomware. After our investigation, PacketWatch can say with a high degree of confidence that Robbinhood was the threat actor behind the ransomware attack. The tactics, techniques, and procedures (TTPs) the group used throughout the attack are almost identical to those that were documented in attacks three years ago.

Just like documented infections in 2019 and 2020, Robbinhood drops a group of files that perform various tasks of the attack chain:

  • Blackhole.exe
  • steel.exe
  • Runtime_Service.exe
  • robnr.exe
  • BlackholeCleaner.exe
  • NewBoss4.exe
  • Winlogon.exe

Initial Infection & Privilege Escalation

Blackhole.exe is the initial dropper file, which copies the rest of the above-mentioned files to the hard drive1. Blackhole.exe then executes steel.exe. This file can disable processes such as antivirus or antimalware2. To gain access necessary to complete this task, it deploys another executable robnr.exe, which in turn drops gdrv.sys, a legitimate and digitally signed kernel driver from Gigabyte. This specific kernel driver is vulnerable to CVE-2018-19320, which allows the attacker to take complete control of the system.
Windows Temp
Figure 1: Malicious executables in Windows directory
Gigabyte Driver
Figure 2: Vulnerable Gigabyte driver installed as a service

Second Malicious Kernel-space Driver

With this level of control over the system, a second, malicious kernel-space driver rbnl.sys is run that can delete locked files and can kill processes.

Kernel Driver
Figure 3: Malicious kernel driver installed as a service

Lateral Movement

Like many other threat actors today, Robbinhood abuses AnyDesk (a legitimate IT tool for remote access) to move laterally between systems.
Program Data
Figure 4: Evidence of AnyDesk used for lateral movement

Ransomware Execution

The ransomware executable is also dropped in C:\Windows\Temp by newboss4.exe and is named winlogon.exe3. The threat actor added this to a service titled WinNTRPC64.
New Boss
Figure 5: NewBoss4 executable in Windows update directory
Figure 6: Ransomware executable installed as a service

Ransomware Note

The ransom note has not deviated much from its original form. It continues to use poor English and includes taunts to the victim, such as “Just pay the ransomware and end the suffering then get better cybersecurity.” It also references previous known attacks from the group (Baltimore and Greenville cities).
Ransom Note

Figure 7: Ransom note


Robbinhood does a thorough job of clearing its tracks and removing event logs. To do this, it leverages blackholecleaner.exe.

Black Hole Cleaner

Figure 8: BlackHoleCleaner executable process

How to protect your organization

There are several steps organizations can take to help protect against Robbinhood and other forms of ransomware:

  1. Deploy Endpoint Detection and Response (EDR) across endpoints and servers
    • Many solutions have detection and prevention capabilities that will stop ransomware in its tracks
  2. Monitor network traffic for suspicious activity
    • Solutions such as PacketWatch provide full visibility into network traffic, allowing for the detection of anomalous and malicious traffic
  3. Implement and maintain data backups
    • Back up data regularly to offline/off-site storage
    • Test these backups regularly
  4. Implement multi-factor authentication (MFA) across the environment
  5. Regularly patch software and operating systems to the latest available versions
  6. Limit port and service exposure to the internet to reduce the attack surface

Contact Us for more information on how to protect your organization from ransomware threats like Robbinhood.

Surge in Bitcoin Mining Attacks Expected

Surge in Bitcoin Mining Attacks Expected


Surge in Bitcoin Mining Attacks Expected

Surge in Bitcoin Mining Attacks Expected

History Repeats Itself

During the surge of Bitcoin prices in 2017, nefarious actors hacked everything from web servers to browsers in an attempt to mine cryptocurrency. We even saw one of our client’s network routers be co-opted as coin-miners!

We anticipate a similar surge of mining attacks in the coming weeks and months as cryptocurrency values soar once again and new varieties flood the market. For example, Bitcoin’s value has skyrocketed to almost $40,000 in recent weeks, which will undoubtedly result in an increase in coin-mining hacking attempts.

Expected Targets

Ideal targets are unpatched software systems and IoT devices.  It’s not always possible to patch older software systems and let’s face it, most organizations don’t know everything on their network. That’s where a combination of defenses can help.

Endpoint Protection

Advanced endpoint protection such as CrowdStrike Falcon is something that we use and strongly recommend. Having such Endpoint Detection & Response (EDR) capabilities on your hosts is becoming an absolute “must” in this day and age of memory-resident file-less and polymorphic malware. Unlike traditional anti-virus that relies on matching signatures of known malware, EDR monitors file activity, processes, and communications on a host to detect known and unknown threats and will automatically block suspicious activity in real-time.

Network Protection

Unfortunately, not every endpoint can have EDR installed, such as printers, IoT, and other network-connected devices, and that’s where network monitoring becomes a key companion capability. PacketWatch monitors and records all network traffic and can spot the telltale signs of coin-mining activity, even on those devices that cannot be protected by EDR.

Recent Incident Involving a Coin Miner

In December 2020, an enterprise-sized organization hired PacketWatch to help battle an incident that involved such a compromise. In this example, a PHP exploit was used to compromise a server and install a Bitcoin miner.

Using PacketWatch’s full packet capture to replay the coin-miner traffic, analysts were able to reverse engineer the scripts executed. As soon as the attackers compromised the Server, they also began running scripts to remove other competing coin miners that might be present in the environment, after which the script would harden the asset to prevent further intrusions. This level of visibility gave investigators a complete picture of the incident and left no questions about what had occurred and what the attackers were after. The client was able to clean the identified server and return to normal operation quickly.