One of the most notorious ransomware gangs from 2019 and 2020 is known as Robbinhood (with 2 B’s). They made a name for themselves by hacking the City of Greenville, NC and the City of Baltimore, MD, causing operational delays and millions of dollars in losses. Since the spring of 2020, there have been almost zero mentions of the group in the cybersecurity community, possibly indicating that the group had gone dark.
PacketWatch recently responded to an incident where the client’s computers were encrypted with what appeared to be Robbinhood ransomware. After our investigation, PacketWatch can say with a high degree of confidence that Robbinhood was the threat actor behind the ransomware attack. The tactics, techniques, and procedures (TTPs) the group used throughout the attack are almost identical to those that were documented in attacks three years ago.
Just like documented infections in 2019 and 2020, Robbinhood drops a group of files that perform various tasks of the attack chain:
Blackhole.exe is the initial dropper file, which copies the rest of the above-mentioned files to the hard drive1. Blackhole.exe then executes steel.exe. This file can disable processes such as antivirus or antimalware2. To gain access necessary to complete this task, it deploys another executable robnr.exe, which in turn drops gdrv.sys, a legitimate and digitally signed kernel driver from Gigabyte. This specific kernel driver is vulnerable to CVE-2018-19320, which allows the attacker to take complete control of the system.
Figure 1: Malicious executables in Windows directory
Figure 2: Vulnerable Gigabyte driver installed as a service
With this level of control over the system, a second, malicious kernel-space driver rbnl.sys is run that can delete locked files and can kill processes.
Figure 3: Malicious kernel driver installed as a service
Like many other threat actors today, Robbinhood abuses AnyDesk (a legitimate IT tool for remote access) to move laterally between systems.
Figure 6: Ransomware executable installed as a service
The ransom note has not deviated much from its original form. It continues to use poor English and includes taunts to the victim, such as “Just pay the ransomware and end the suffering then get better cybersecurity.” It also references previous known attacks from the group (Baltimore and Greenville cities).
Figure 7: Ransom note
Robbinhood does a thorough job of clearing its tracks and removing event logs. To do this, it leverages blackholecleaner.exe.
Figure 8: BlackHoleCleaner executable process
There are several steps organizations can take to help protect against Robbinhood and other forms of ransomware:
Contact Us for more information on how to protect your organization from ransomware threats like Robbinhood.