Robinhood Ransomware

Original Issue Date:- May 24, 2019
Virus Type:- Ransomware
Severity:- Medium

It has been reported that variants of a ransomware named as “RobinHood” are spreading. The propagation mechanism used by the malware is unknown but it has been found that the malware does not spread within the network. However, some reports states that the robbinhood ransomware spreads as a result of targeted attacks which includes hacked remote desktop services or use of EternalBlue exploits providing access to attackers. The malware is capable of performing the following functions:

  • Encrypts the victim’s machine using combination of AES+RSA cryptographic algorithms.
  • Attackers use Onion Tor websites for receiving payments against the decryption key to remain untraceable.
  • Like other ransomwares, it encrypts and rename the encrypted files as Encrypted_[random string].enc_robinhood. It is shown below:


  • Post encryption, ransomware drops 4 different ransomware notes which are _Decryption_ReadMe.html, _Decrypt_Files.html, _Help_Help_Help.html, and _Help_Important.html
  • It stops several windows services to facilitate encryption.
  • Disconnects network shares from the targeted machine and targets each machine individually either using a domain controller or using PowerShell or PSExec tools.

Furthermore, it has been found that the ransomware is written in “GO” programming language and upon debugging certain commands are found which are used by the ransomware for performing its functions. These commands are as follows:

  • Executes “cmd.exe /c sc.exe stop AVP /y” command using command prompt to stop several windows services such as Anti Virus, database, mail server etc to facilitate encryption.
  • Disconnects all network shares from the victims machine using the following command: “cmd.exe /c net use * /DELETE /Y”
  • Contains self-terminating routine which checks for the presence of RSA encryption public key at location “C:\Windows\Temp\pub.key” absence of which terminates the execution of ransomware.
  • Ransomware is capable of tracing encryption activity in temporary log files which are deleted upon successful completion of encryption.
  • The ransomware note shown to the victim upon successful encryption of the system is shown below:



Indicators of Compromise:

File system Changes:

  • _Decrypt_Files.html
  • _Decryption_ReadMe.html
  • _Help_Help_Help.html
  • _Help_Important.html
  • C:\Windows\Temp\pub.key
  • C:\Windows\Temp\rf_s
  • C:\Windows\Temp\ro_l
  • C:\Windows\Temp\ro_s

Hashes

  • 3bc78141ff3f742c5e942993adfbef39c2127f9682a303b5e786ed7f9a8d184b
  • 3bc78141ff3f742c5e942993adfbef39c2127f9682a303b5e786ed7f9a8d184b
  • e128d5aa0b5a9c6851e69cbf9d2c983eefd305a10cba7e0c8240c8e2f79a544f
  • 9977ba861016edef0c3fb38517a8a68dbf7d3c17de07266cfa515b750b0d249e
  • 4e58b0289017d53dda4c912f0eadf567852199d044d2e2bda5334eb97fa0b67c

Domains contacted for making payments

  • hxxps://xbt4titax4pzza6w[.]onion[.]pet/
  • hxxps://xbt4titax4pzza6w[.]onion[.]to/
  • hxxp://xbt4titax4pzza6w[.]onion/

Best Practices and Recommendations:

  • Users are advised to disable their RDP if not in use, if required it should be placed behind the firewall and users are to bind with proper policies while using the RDP.
  • Restrict execution of Power shell /WSCRIPT in enterprise environment Ensure installation and use of the latest version (currently v5.0) of PowerShell, with enhanced logging enabled. Script block logging, and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis.
    Reference: https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html
  • Establish a Sender Policy Framework (SPF) for your domain, which is an email validation system designed to prevent spam by detecting email spoofing by which most of the ransomware samples successfully reaches the corporate email boxes.
  • Application whitelisting/Strict implementation of Software Restriction Policies (SRP) to block binaries running from %APPDATA% and %TEMP% paths. Ransomware sample drops and executes generally from these locations.
  • Don't open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization's website directly through browser
  • Block the attachments of file types, exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf
  • Consider encrypting the confidential data as the ransomware generally targets common file types.
  • Perform regular backups of all critical information to limit the impact of data or system loss and to help expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.

References: