# RobinHood Ransomware “CoolMaker” Functions Not So Cool **[sentinelone.com/blog/robinhood-ransomware-coolmaker-function-not-cool/](https://www.sentinelone.com/blog/robinhood-ransomware-coolmaker-function-not-cool/)** Vitali Kremez RobinHood ransomware is one of the more interesting Golang ransomware variants to have [appeared on the ransomware landscape recently. The ransomware was previously used in](https://www.sentinelone.com/blog/how-does-ransomware-work/) [the high-profile infection encrypting computers in the City of Greenville and most recently in](https://baltimore.cbslocal.com/2019/05/07/baltimore-city-government-computer-virus/) the [City of Baltimore. It was originally coded in the Go programming language and compiled](https://statescoop.com/robinhood-ransomware-knocks-out-city-services-in-baltimore/) to a 32-bit executable. In this technical analysis, we will explore the `main_CoolMaker` functions meant to disable the machine and interrupt backup and other PC vital services. ## Overview of RobinHood Ransomware RobinHood is a malware that encrypts the victim’s hard drive with the RSA+AES cryptographical combination and instructs the victim to reach out to them via Onion Tor website. The RobinHood ransomware drops the victim notification file on the desktop detailing the demands and how to make contact. ----- Once contact is made, the attackers claim they will make a decryption tool available, thereby allowing the victim to recover their precious files, in return for payments made in bitcoin. Currently, it is unclear what the initial infection vector is. There is only one confirmed RobinHood Golang ransomware that we know of so far. It is also notable that the ransomware does not spread within the network; quite the opposite, it drops all Windows shares via “cmd.exe /c net use * /DELETE /Y”. That likely means that the ransomware is pushed on each machine individually after the initial network breach via the `psexec and/or` the domain controller. ----- **_Update (July 26):_** Since this analysis, others have claimed that Robinhood was [leveraging EternalBlue as a means to propagate. Those claims are incorrect, and it](https://www.sentinelone.com/blog/eternalblue-nsa-developed-exploit-just-wont-die/) has now [been confirmed by the City of Baltimore that Robinhood ransomware was not](https://mayor.baltimorecity.gov/city-baltimore-faq) exploiting #EternalBlue/#BlueKeep vulnerabilities (CVE-2019-0708). The ransomware expects to read “C:windowstemppub.key”, and if the file is not found, the sample terminates. This suggests a possible antidote of creating and saving a “pub.key” file in “C:windowstemp” with no read or write privileges, which would cause the ransomware to abort its initial execution in its current known setup. The ransomware contains the following debug artifacts: ``` C:/Users/valery/go/src/oldboy/main.go ``` It is also notable that the ransomware contains full debugging capabilities to write logs to “C:windowstemprbf.log”; however, the ransomware was compiled with ``` main_EnableEventLogDATA disabled, but it could be patched to retrieve and activate this ``` feature. ----- ## RobinHood Ransomware’s CoolMaker Function RobinHood ransomware’s `main_CoolMaker function contains a plethora of subfunctions` meant to disable and disrupt the victim’s PC backups and services. Some of the most interesting Golang functions are stored here, with names riddled with expletives. These are responsible for actions such as deleting shadow copies via the impolitely named ``` ShadowFucks function (vssadmin.exe delete shadows /all /quiet and WMIC shadowcopy ``` delete), `RecoveryFCK (Bcdedit.exe /set {default} recoveryenabled no, Bcdedit.exe /set` {default} bootstatuspolicy ignoreallfailures), and `ServiceFuck (cmd.exe /c sc.exe stop