Chasing RobbinHood: Up Close with an Evolving Threat

  /     /     /  
Publicated : 23/11/2024   Category : security


Chasing RobbinHood: Up Close with an Evolving Threat


A security researcher details how RobbinHood has changed and why it remains a threat for businesses to watch.



It has been over a year since ransomware-as-a-service RobbinHood appeared in a major attack against the city government of Baltimore. While initially described as amateur and unsophisticated among cybersecurity pros, the ransomware has since changed in ways that make it a threat to watch.
James Jackson, an independent researcher who aided a global shipping firm in the aftermath of NotPetya and currently works for a multinational intelligence and consulting business, has been analyzing RobbinHood to trace its evolution. He discovered 19 RobbinHood binaries and linked six to confirmed attacks. The research led him to identify four distinct versions of the RobbinHood ransomware, each of which demonstrates growth in functionality and maturity.
In a very short period of time, [RobbinHood] has rapidly advanced, Jackson says. The fact theyve escalated and refined their attack in a very short period of time, and developed an exploit with a malicious driver, indicates expertise and gearing up.
Version 0.1 of RobbinHood, used to target the cities of Baltimore and Greenville, is considered the most simplistic and unsophisticated. It functions to stop computer services that could stop it from running, encrypt local files, and deploy a ransom note demanding payment in exchange for the files return. Its noisy and noticeable, Jackson says, and the attackers only implemented crude means from preventing security researchers from analyzing the malware in a sandbox.
The overarching theme from version one of the malware is that it was incredibly simplistic and it was fraught with problems and errors, he explains. Despite 
the damage
 it caused Baltimore, early analysis of RobbinHood revealed juvenile naivety that was difficult to ignore, he wrote in a 
blog post
. From there, RobbinHood underwent a series of minor and significant changes.
There are many reasons why RobbinHoods attackers may have been motivated to improve. One driver may have been the ease of recovery. Theyve realized not only is the ransomware unsophisticated and amateur, but thats having a direct impact on the profitability of this enterprise, Jackson says. Of the six Bitcoin addresses he discovered, five belonged to v0.1 and none had ever contained any funds. This could indicate early versions were not successful.
Version 0.2 appeared in mid-June 2019, slightly more advanced than its predecessor. In this edition, attackers made it harder to extract embedded text from inside the malware. Function names were obfuscated, and the text listing services to stop was encoded. The second version also tried to kill running processes before encryption and had a function to clear Windows Event Logs, though Jackson points out this never seems to execute in ransomware attacks.
RobbinHood operators waited longer to launch version 0.3, which arrived in late January 2020 with a reference to a RobinHood2 folder and dropped the obfuscation, though embedded text was still encoded. This version was built to erase event logs and use pattern matching to find and stop services, which made it more effective in finding and disabling security software. 
Jackson notes erasing event logs is interesting, as there are more important forensic artifacts they dont delete. This could indicate they are intentionally deleting evidence and are bad at it, or theyre deleting evidence to hinder response. Both possibilities could be significant in profiling the group: The former indicates low sophistication; the latter, a strong arsonist trait, he adds.
Bringing Bigger Changes: v0.3 to v0.4
Version 0.4 appeared only a few months later, in late April, but brought the biggest change to RobbinHood since its 2019 launch. As Jackson points out in his writeup, a comparison of the internal functions in v0.1 and v0.4 revealed the two versions share only 23% of the same code.
This version references a folder dubbed RobbinHood6.1 and brought additional functions and design improvements. It returns to using a hard-coded list of services and processes to block; however, the list was adjusted to stop services that constantly write data to a computer. This boosts the reliability of encryption, he notes, and minimizes the likelihood of data loss. Versions 0.3 and 0.4 also attempt to change all user account passwords on the system.
Between v0.3 and v0.4, RobbinHoods operators became more concerned with services that could compromise the encryption process, Jackson says. They also created and weaponized a malicious driver to handle this for them. RobbinHood attacks seen during this time exploit a legitimate and digitally signed hardware driver to 
delete security tools
 before encrypting files.
The group has demonstrated the ability to decrypt data, he adds. However, there is a higher likelihood that decryption may not be possible even with the group assistance. RobbinHoods encryption process involves using public keys to encrypt a randomly generated AES key and attacker that data to the target file. If an error occurred, the AES key may not be recoverable. 
One malicious feature in v0.4 is its ability to identify and remove files prior to encryption. The logic is seemingly targeting backups; however, it may capture data victims may want decrypted. The Ryuk ransomware attackers use manual tactics to delete backups, Jackson points out as an example of another groups strategy. The automated tactic here is comparatively less effective: RobbinHood looks for files with specific extensions, which he says has a low chance of working. If they improve on their handling of backups, there may be more people forced to pay ransom. 
The execution of attackers is interesting in that its no replacement for what the Ryuk attackers do when they manually target and destroy backup services, which is always going to be much more effective, he explains. The RobbinHood attackers have some skills up their sleeve, but the way they execute is relatively ineffective. Jackson has not seen evidence indicating RobbinHood attackers have tried to manually identify and delete backups. He does note that the group demonstrates concern with leaving behind forensic evidence.
At the moment, there is insufficient evidence to conclude who is behind RobbinHood or where they are located, Jackson says. While there are some hints in how these attacks are launched, its easy for operators to adjust components and techniques to mislead security researchers.
One of the big issues with attribution is … its so easy to put those details there on purpose or run a black-flag operation and make it seem like a malware is coming out of country X when its coming out of country Y, he says.
Related Content:
Many Exchange Servers Are Still Vulnerable to Remote Exploit
6 Free Cybersecurity Training and Awareness Courses
How Data Breaches Affect the Enterprise
Mobile Phishing Attacks Increase Sharply
 
 
 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that really  bad day in cybersecurity. Click for 
more information and to register

 

Last News

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Chasing RobbinHood: Up Close with an Evolving Threat