{
	"id": "07106943-705f-4c82-ac4b-24780ddcc234",
	"created_at": "2026-04-06T00:15:24.119819Z",
	"updated_at": "2026-04-10T03:21:25.562719Z",
	"deleted_at": null,
	"sha1_hash": "4525be8d006b7c430695918563a23cffd2eb27e6",
	"title": "RobinHood Ransomware “CoolMaker” Functions Not So Cool - SentinelLabs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2508640,
	"plain_text": "RobinHood Ransomware “CoolMaker” Functions Not So Cool -\r\nSentinelLabs\r\nBy Vitali Kremez\r\nPublished: 2019-05-09 · Archived: 2026-04-05 23:40:26 UTC\r\nRobinHood ransomware is one of the more interesting Golang ransomware variants to have appeared on the\r\nransomware landscape recently. The ransomware was previously used in the high-profile infection encrypting\r\ncomputers in the City of Greenville and most recently in the City of Baltimore. It was originally coded in the Go\r\nprogramming language and compiled to a 32-bit executable. In this technical analysis, we will explore the\r\nmain_CoolMaker functions meant to disable the machine and interrupt backup and other PC vital services.\r\nOverview of RobinHood Ransomware\r\nRobinHood is a malware that encrypts the victim’s hard drive with the RSA+AES cryptographical combination\r\nand instructs the victim to reach out to them via Onion Tor website. The RobinHood ransomware drops the victim\r\nnotification file on the desktop detailing the demands and how to make contact.\r\nhttps://www.sentinelone.com/blog/robinhood-ransomware-coolmaker-function-not-cool/\r\nPage 1 of 4\n\nOnce contact is made, the attackers claim they will make a decryption tool available, thereby allowing the victim\r\nto recover their precious files, in return for payments made in bitcoin.\r\nCurrently, it is unclear what the initial infection vector is. There is only one confirmed RobinHood Golang\r\nransomware that we know of so far. It is also notable that the ransomware does not spread within the network;\r\nquite the opposite, it drops all Windows shares via “cmd.exe /c net use * /DELETE /Y”. That likely means that the\r\nransomware is pushed on each machine individually after the initial network breach via the psexec and/or the\r\ndomain controller.\r\nUpdate (July 26): Since this analysis, others have claimed that Robinhood was leveraging EternalBlue\r\nas a means to propagate. Those claims are incorrect, and it has now been confirmed by the City of\r\nBaltimore that Robinhood ransomware was not exploiting #EternalBlue/#BlueKeep vulnerabilities\r\n(CVE-2019-0708).\r\nThe ransomware expects to read “C:windowstemppub.key”, and if the file is not found, the sample terminates.\r\nThis suggests a possible antidote of creating and saving a “pub.key” file in “C:windowstemp” with no read or\r\nwrite privileges, which would cause the ransomware to abort its initial execution in its current known setup.\r\nThe ransomware contains the following debug artifacts:\r\nC:/Users/valery/go/src/oldboy/config.go\r\nC:/Users/valery/go/src/oldboy/functions.go\r\nC:/Users/valery/go/src/oldboy/main.go\r\nIt is also notable that the ransomware contains full debugging capabilities to write logs to\r\n“C:windowstemprbf.log”; however, the ransomware was compiled with main_EnableEventLogDATA disabled, but\r\nit could be patched to retrieve and activate this feature.\r\nhttps://www.sentinelone.com/blog/robinhood-ransomware-coolmaker-function-not-cool/\r\nPage 2 of 4\n\nRobinHood Ransomware’s CoolMaker Function\r\nRobinHood ransomware’s main_CoolMaker function contains a plethora of subfunctions meant to disable and\r\ndisrupt the victim’s PC backups and services. Some of the most interesting Golang functions are stored here, with\r\nnames riddled with expletives. These are responsible for actions such as deleting shadow copies via the impolitely\r\nnamed ShadowFucks function (vssadmin.exe delete shadows /all /quiet and WMIC shadowcopy delete),\r\nRecoveryFCK (Bcdedit.exe /set {default} recoveryenabled no, Bcdedit.exe /set {default} bootstatuspolicy\r\nignoreallfailures), and ServiceFuck (cmd.exe /c sc.exe stop \u003clist of services).\r\nAside from these, the somewhat more temperately named wevtutil (wevtutil.exe cl Application, wevtutil.exe cl\r\nSecurity, and wevtutil.exe cl System.exe) is also found here, which functions to clear logs.\r\nClosing Thoughts\r\nhttps://www.sentinelone.com/blog/robinhood-ransomware-coolmaker-function-not-cool/\r\nPage 3 of 4\n\nWhile the RobinHood ransomware does not appear to be sophisticated, it does include higher-level Go\r\nprogramming language code, and its related network intrusions are more interesting as they targeted large\r\ngovernment entities such as City of Greenville and City of Baltimore, a tactic reminiscent of previous SamSam\r\nransomware attacks demanding high payouts with individual ransoms set per machine.\r\nThe group behind this ransomware and its attacks may prove to be more interesting than the ransomware itself due\r\nto the apparent well-planned and orchestrated network intrusions prior to the deployment of their new Go\r\nransomware. It’s reasonable to assume that we can expect to see more attacks from this threat actor on public\r\ninstitutions that fail to implement a ransomware-resistant security solution.\r\nLike this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.\r\nRead more about Cyber Security\r\nUrsnif – A Polymorphic Delivery Mechanism Explained\r\nAsus ShadowHammer Episode – A Custom Made Supply Chain Attack\r\n7 Reasons To Move Away From Legacy AV\r\nHow Malware Can Easily Defeat Apple’s macOS Security\r\nWhat Is Windows PowerShell (And Could It Be Malicious)?\r\nSource: https://www.sentinelone.com/blog/robinhood-ransomware-coolmaker-function-not-cool/\r\nhttps://www.sentinelone.com/blog/robinhood-ransomware-coolmaker-function-not-cool/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.sentinelone.com/blog/robinhood-ransomware-coolmaker-function-not-cool/"
	],
	"report_names": [
		"robinhood-ransomware-coolmaker-function-not-cool"
	],
	"threat_actors": [],
	"ts_created_at": 1775434524,
	"ts_updated_at": 1775791285,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4525be8d006b7c430695918563a23cffd2eb27e6.pdf",
		"text": "https://archive.orkl.eu/4525be8d006b7c430695918563a23cffd2eb27e6.txt",
		"img": "https://archive.orkl.eu/4525be8d006b7c430695918563a23cffd2eb27e6.jpg"
	}
}