{
	"id": "e1eff225-f17c-497a-9a63-434f078e47f1",
	"created_at": "2026-04-06T00:12:57.304527Z",
	"updated_at": "2026-04-10T03:20:16.744542Z",
	"deleted_at": null,
	"sha1_hash": "00773dcee086a1066f7b739bc59f5ee479e863b3",
	"title": "A Closer Look at the RobbinHood Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1580505,
	"plain_text": "A Closer Look at the RobbinHood Ransomware\r\nBy Lawrence Abrams\r\nPublished: 2019-04-26 · Archived: 2026-04-05 14:54:28 UTC\r\nThe RobbinHood Ransomware is the latest player in the ransomware scene that is targeting companies and the computers on\r\ntheir network. This ransomware is not being distributed through spam but rather through other methods, which could include\r\nhacked remote desktop services or other Trojans that provide access to the attackers.\r\nSince it first came out, samples of the RobbinHood ransomware have not been easy to come by. Yesterday, though,\r\nMalwareHunterTeam was able to find a sample so that it could be reverse engineered and tested to learn more about it.\r\nTaking a look at RobbinHood\r\nAs we previously stated, it has not been confirmed how the ransomware gains access to a network and the computer's on it. \r\nhttps://www.bleepingcomputer.com/news/security/a-closer-look-at-the-robbinhood-ransomware/\r\nPage 1 of 8\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/a-closer-look-at-the-robbinhood-ransomware/\r\nPage 2 of 8\n\nVisit Advertiser websiteGO TO PAGE\r\nSecurity researcher Vitali Kremez, who reverse engineered the sample, told BleepingComputer that on\r\nexecution, RobbinHood disconnects all network shares from the computer using the following command:\r\ncmd.exe /c net use * /DELETE /Y\r\nThis means that each computer is targeted individually and that other computers are not encrypted via connected shares.\r\nKremez told us that this could indicate that the payload is being pushed to each individual machine via a domain controller\r\nor through a framework like Empire PowerShell and PSExec.\r\n\"One of the most notable ones is \"cmd.exe /c net use * /DELETE /Y\" since the malware does not encrypt or crawl any\r\nshares and actually disconnects from network, which indicates each variant is likely pushed into each machine via the\r\ndomain controller or some other automated means (maybe via psexec)\"\r\nBefore continuing, the ransomware will now attempt to read a public RSA encryption key from C:\\Windows\\Temp\\pub.key.\r\nIf this key is not present, it will display the following message and the ransomware will exit.\r\nCan't find pub.key error\r\nIf a key is present, it will continue preparing the victim's computer for encryption. To test the ransomware,\r\nBleepingComputer generated a test public key and saved it to C:\\Windows\\Temp.\r\nNext it will stop 181 Windows services associated with antivirus, database, mail server, and other software that could keep\r\nfiles open and prevent their encryption. It does this by issuing the \"sc.exe stop\" command as shown below.\r\ncmd.exe /c sc.exe stop AVP /y\r\nA full list of services stopped by RobbinHood are found at the end of the article.\r\nDuring this preparation stage, RobbinHood will also clear Shadow Volume Copies, clear event logs, and disable the\r\nWindows automatic repair by executing the following commands:\r\nvssadmin.exe delete shadows /all /quiet\r\nWMIC shadowcopy delete\r\nwevtutil.exe cl Application\r\nwevtutil.exe cl Security\r\nwevtutil.exe cl System\r\nBcdedit.exe /set {default} recoveryenabled no\r\nBcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\r\nNow that the computer is prepped, it begins to encrypt the victim's targeted files.\r\nhttps://www.bleepingcomputer.com/news/security/a-closer-look-at-the-robbinhood-ransomware/\r\nPage 3 of 8\n\nKremez told BleepingComputer that when encrypting files an AES key is created for each file. The ransomware will then\r\nencrypt the AES key and the original filename with the public RSA encryption key and append it to the encrypted file. \r\nEach encrypted file will then be renamed using the format Encrypted_[randomstring].enc_robbinhood as shown below.\r\nEncrypted RobbinHood Files\r\nWhen encrypting files, RobbinHood will skip any files found in or under the following directories:\r\nProgramData\r\nWindows\r\nbootmgr\r\nBoot\r\n$WINDOWS.~BT\r\nWindows.old\r\nTemp\r\ntmp\r\nProgram Files\r\nProgram Files (x86)\r\nAppData\r\n$Recycle.bin\r\nSystem Volume Information\r\nWhile running, RobbinHood has the ability to send debug output to the console. This feature is currently disabled in\r\ndistributed versions of the ransomware and does not have a runtime value to enable it.\r\nThe ransomware will, though, create numerous log files under the C:\\Windows\\Temp folder. These files are called rf_, ro_l,\r\nand ro_s.\r\nhttps://www.bleepingcomputer.com/news/security/a-closer-look-at-the-robbinhood-ransomware/\r\nPage 4 of 8\n\nLog Files\r\nIt is not currently known what each log file is for other than the rf_s file, which is used to log the creation of ransom notes in\r\neach folder.\r\nExample logfile for RobbinHood ransom note creation\r\nAfter encryption has been completed, these log files will be deleted.  Below is an example of some of the debug messages\r\nthat would be displayed during this cleanup stage if console output was enabled.\r\nCleaning up Logs\r\nFurthermore, if console output is enabled in the ransomware, when done encrypting a computer it will display a final\r\nmessage stating \"Enjoy buddy :)))\" as shown below. \r\nhttps://www.bleepingcomputer.com/news/security/a-closer-look-at-the-robbinhood-ransomware/\r\nPage 5 of 8\n\nFinal message when RobbinHood is done encrypting\r\nWhile encrypting the computer it will also create four different ransom note named _Decrypt_Files.html,\r\n_Decryption_ReadMe.html, _Help_Help_Help.html, and _Help_Important.html.\r\nThese ransom notes contains information as to what has happened to the victims files and a bitcoin address that they can use\r\nto make a ransom payment. The ransom payments are currently set at 3 bitcoins per affected system or 13 bitcoins for the\r\nentire network.\r\nRobbinHood Ransom Note\r\nUnfortunately, at this time no weakness has been found in the ransomware and there is no way to decrypt files for free.\r\nProtecting yourself from the RobbinHood Ransomware\r\nAs ransomware is only damaging if you have no way of recovering your data, the most important thing is to always have a\r\nreliable backup of your files. These backups should be stored offline and not made accessible to ransomware, which have\r\nbeen known to target backups in the past.\r\nWhile this ransomware is not being spread via spam, it is possible that it is being installed by Trojans that are. Therefore, it\r\nis important that all users be trained on how to properly identify malicious spam and to not open any attachments without\r\nfirst confirming who and why they were sent.\r\nFinally, it also important to make sure that your network does not make Remote Desktop Services publicly accessible via the\r\nInternet. Instead, you should put it behind a firewall and make it only accessible through a VPN.\r\nUpdate 4/27/19: Added further info about debug logs\r\nIOCs:\r\nhttps://www.bleepingcomputer.com/news/security/a-closer-look-at-the-robbinhood-ransomware/\r\nPage 6 of 8\n\nHashes:\r\n3bc78141ff3f742c5e942993adfbef39c2127f9682a303b5e786ed7f9a8d184b\r\nAssociated File Names:\r\n_Decrypt_Files.html\r\n_Decryption_ReadMe.html\r\n_Help_Help_Help.html\r\n_Help_Important.html\r\nC:\\Windows\\Temp\\pub.key\r\nC:\\Windows\\Temp\\rf_s\r\nC:\\Windows\\Temp\\ro_l\r\nC:\\Windows\\Temp\\ro_s\r\nList of Stopped Services:\r\nAVP, MMS, ARSM, SNAC, ekrn, KAVFS, RESvc, SamSs, W3Svc, WRSVC, bedbg, masvc, SDRSVC, TmCCSF, mfemms, mfevtp, sacsvr, DCAg\r\nRansom Note Text:\r\nWhat happened to your files?\r\nAll your files are encrypted with RSA-4096, Read more on https://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\nRSA is an algorithm used by modern computers to encrypt and decrypt the data. RSA is an asymmetric cryptographic algorithm\r\n1 - We encrypted your files with our \"Public key\"\r\n2 - You can decrypt, the encrypted files with specific \"Private key\" and your private key is in our hands ( It's not possi\r\nIs it possible to get back your data?\r\nYes, We have a decrypter with all your private keys. We have two options to get all your data back.\r\nFollow the instructions to get all your data back:\r\nOPTION 1\r\nStep 1 : You must send us 3 Bitcoin(s) for each affected system\r\nStep 2 : Inform us in panel with hostname(s) of the system you want, wait for confirmation and get your decrypter\r\nOPTION 2\r\nStep 1 : You must send us 13 Bitcoin(s) for all affected system\r\nStep 2 : Inform us in panel, wait for confirmation and get all your decrypters\r\nOur Bitcoin address is: xxx\r\nBE CAREFUL, THE COST OF YOUR PAYMENT INCREASES $10,000 EACH DAY AFTER THE FOURTH DAY\r\nAccess to the panel ( Contact us )\r\nThe panel address: http://xbt4titax4pzza6w.onion/xx/\r\nAlternative addresses\r\nhttps://xbt4titax4pzza6w.onion.pet/xx/\r\nhttps://xbt4titax4pzza6w.onion.to/xx/\r\nAccess to the panel using Tor Browser\r\nIf non of our links are accessible you can try tor browser to get in touch with us:\r\nStep 1: Download Tor Browser from here: https://www.torproject.org/download/download.html.en\r\nStep 2: Run Tor Browser and wait to connect\r\nStep 3: Visit our website at: panel address\r\nhttps://www.bleepingcomputer.com/news/security/a-closer-look-at-the-robbinhood-ransomware/\r\nPage 7 of 8\n\nIf you're having a problem with using Tor Browser, Ask Google: how to use tor browser\r\nWants to make sure we have your decrypter?\r\nTo make sure we have your decrypter you can upload at most 3 files (maximum size allowance is 10 MB in total) and get your\r\nWhere to buy Bitcoin?\r\nThe easiest way is LocalBitcoins, but you can find more websites to buy bitcoin using Google Search: buy bitcoin online\r\nInteresting Strings:\r\nC:/Users/valery/go/src/oldboy/config.go\r\nC:/Users/valery/go/src/oldboy/functions.go\r\nC:/Users/valery/go/src/oldboy/main.go\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/a-closer-look-at-the-robbinhood-ransomware/\r\nhttps://www.bleepingcomputer.com/news/security/a-closer-look-at-the-robbinhood-ransomware/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/a-closer-look-at-the-robbinhood-ransomware/"
	],
	"report_names": [
		"a-closer-look-at-the-robbinhood-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434377,
	"ts_updated_at": 1775791216,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/00773dcee086a1066f7b739bc59f5ee479e863b3.pdf",
		"text": "https://archive.orkl.eu/00773dcee086a1066f7b739bc59f5ee479e863b3.txt",
		"img": "https://archive.orkl.eu/00773dcee086a1066f7b739bc59f5ee479e863b3.jpg"
	}
}