CB TAU Threat Intelligence Notification: RobbinHood Ransomware Stops 181 Windows Services Before Encryption

2019-05-17T17:48:32
ID CARBONBLACK:869106239F975208640D20E08CAD4B55
Type carbonblack
Reporter Ryan Murphy
Modified 2019-05-17T17:48:32

Description

According to source articles, RobbinHood ransomware has been discovered and it will stop 181 Windows services prior to the encryption taking place. It is thought that the ransomware might not be distributed through a typical spam campaign, but instead via other methods such as hacked remote desktop (RDP) services. Following is the ransom note created by the ransomware.

ro1.pngro2.png

Figure 1: Screenshot of the ransom note

This post serves to inform our customers about detection and protection capabilities within the Carbon Black suite of products against RobbinHood ransomware.

Behavioral Summary

Upon execution, it will stop/taskkill various Windows services that are associated with antivirus, database, and other software that could keep files open and prevent the encryption process. At the same time, it also disconnects all network shares from the computer with the command “cmd.exe /c net use * /DELETE /Y”.

In addition, it will attempt to look for a public RSA encryption key from the directory “C:\Windows\Temp\pub.key”. If the public key is not present, it will display the following message and stop the encryption process.

ro3.png__

If the public key is present then it will start the encryption routine and append “Encrypted_[randomstring].enc_robbinhood” as the file extension to the encrypted file. During the encryption process, it will create the following log files under the temp folder and they will be deleted after the encryption is done:

  • C:\Windows\Temp\rf_s
  • C:\Windows\Temp\ro_l
  • C:\Windows\Temp\ro_s

It will also create several copies of the same ransom note with the following filenames:

  • _Decrypt_Files.html
  • _Decryption_ReadMe.html
  • _Help_Help_Help.html
  • _Help_Important.html

After the encryption of files is complete, it will delete shadow copies to ensure that all the data cannot be restored easily. Following is the screenshot of the created ransom notes and encrypted file on the infected computer.

ro4.png__

Below are the process chart and events from CB ThreatHunter showing that RobbinHood ransomware has created the ransom note and encrypted files, as well as spawning a large number of child processes to stop/kill various Windows services, deleted shadow copies etc.

ro5.pngro6.png

In addition, CB Defense will display the malware’s overall triggered TTPs.

ro7.pngro8.png

If you are a Carbon Black customer looking for more information on how CB solutions help defend against this attack, click here.

Remediation:

MITRE ATT&CK TIDs

TID

|

Tactic

|

Description

---|---|---

T1059

|

Execution

|

Command-Line Interface: Cmd used to stop/kill various Windows services

T1089

|

Defense Evasion

|

Disabling Security Tools: RobbinHood will stop/kill antivirus services

T1126

|

Defense Evasion

|

Network Share Connection Removal: RobbinHood will disconnects all network shares from the computer

T1022

|

Exfiltration

|

Data Encrypted: Ransomware to encrypt data

T1107

|

Defense Evasion

|

Shadow Copy Deletion by WMIC Or VSSAdmin

Indicators of Compromise (IOCs)

Indicator

|

Type

|

Context

---|---|---

3bc78141ff3f742c5e942993adfbef39c2127f9682a303b5e786ed7f9a8d184b

aace43af8d0932a7b01c5b8fb71c8199

|

SHA256

MD5

|

RobbinHood Ransomware

21cb84fc7b33e8e31364ff0e58b078db8f47494a239dc3ccbea8017ff60807e3

8c2a236877dd2b707c7b940276028e40

|

SHA256

MD5

|

RobbinHood Ransomware

27f9f740263b73a9b7e6dd8071c8ca2b2c22f310bde9a650fc524a4115f2fa14

d80a899168e859c4daea95b64f90645c

|

SHA256

MD5

|

RobbinHood Ransomware

9977ba861016edef0c3fb38517a8a68dbf7d3c17de07266cfa515b750b0d249e

a6d61654e6af6f1fa417229aa2da76f2

|

SHA256

MD5

|

RobbinHood Ransomware

4e58b0289017d53dda4c912f0eadf567852199d044d2e2bda5334eb97fa0b67c

edfec708d2b6686beb55e449fb55d11e

|

SHA256

MD5

|

RobbinHood Ransomware

e128d5aa0b5a9c6851e69cbf9d2c983eefd305a10cba7e0c8240c8e2f79a544f

73d43cf4aecf2dc55ef61ab17dfbb147

|

SHA256

MD5

|

RobbinHood Ransomware

The post CB TAU Threat Intelligence Notification: RobbinHood Ransomware Stops 181 Windows Services Before Encryption appeared first on Carbon Black.