A new ransomware is in play called RobbinHood that is targeting entire networks and then encrypting all computers that they can gain access to. They then request a certain amount of bitcoins to decrypt a single computer or a larger amount to decrypt the entire network.
Not much is currently known about this ransomware and a sample for RobbinHood has not currently been found. We have, though, seen the ransom notes and encrypted files of various victims, which allows us to put together a picture of how this ransomware may operate.
Of particular interest is how they stress that the victim’s privacy is important to them and they will not disclose any victims who have paid.
RobbinHood targets networks
Based on the ransom note text, the attackers behind RobbinHood are actively trying to gain access to networks. Once they gain access, they will attempt to encrypt as many computers on the network as they can.
While nothing is known regarding the encryption being used, we do know that when files are encrypted they will be renamed to something similar to Encrypted_b0a6c73e3e434b63.enc_robbinhood.
The ransomware will also strangely drop ransom notes under 4 different names at the same time. The names of these notes are _Decryption_ReadMe.html, _Decrypt_Files.html, _Help_Help_Help.html, and _Help_Important.html.
These ransom notes will include information regarding what happened to the victim’s files, ransom amounts, and links to the TOR sites where users can leave a message for the attackers or decrypt 3 files up to 10MB in size for free.
The current addresses used in the ransom note are:
http://xbt4titax4pzza6w.onion/
https://xbt4titax4pzza6w.onion.pet/
https://xbt4titax4pzza6w.onion.to/
These notes offer different payment amounts depending on whether you want to decrypt a single computer or a entire network. For example, in a ransom note seen by BleepingComputer, the ransom was 3 bitcoins per computer or 7 bitcoins for the network.
It also states that after the fourth day, the ransom will increase by $10,000 per day.
RobbinHood cares about your privacy
On the ransomware’s Tor payment page, the developers of RobbinHood state that they care about their victim’s privacy and that the encryption keys and IP addresses will be deleted after payment.
“I want to mention that your privacy is important for us, all of your records including IP address and Encryption keys will be wiped out after your payment. Also the bitcoin address you should pay to, is generated specifically for you and nobody knows about it.”
Even more interesting, though, is that they tell the victim that they do not have to report the breach because their secret is safe with them.
“There is no need to mention that our servers have no event a bit of your network data and information.”
This is the first time I have ever seen a ransomware offer that bit of advice. By stating that they will keep the victim’s ransomware infection a secret they are implying that a company can pay for the ransomware without having to disclose the breach and receive negative publicity.
This is being done to potentially increase the chance of a payment being made.
City of Greenville hit by RobbinHood
RobbinHood has already made the news by infecting the network for the City of Greenville, North Carolina.
According to News Channel 12 in North Carolina, the city was hit by the RobbinHood Ransomware on Wednesday and had to shutdown their network while they determined the extent of the damage.
They have also contacted law enforcement, with multiple agencies investigating the attack.
“Agents with the FBI are now involved in determining how to handle the breach. National Guard, Strike Team, State IT and State Emergency Management are also working the case.”
Unfortunately, Greenville is not the only victim of the RobbinHood Ransomware.
BleepingComputer and MalwareHunterTeam, who tweeted about the ransomware yesterday, have been monitoring victims who were infected by RobbinHood. MalwareHunterTeam has stated that none of these victims have paid the ransom at this point.
IOCs:
Associated file names:
_Decryption_ReadMe.html
_Decrypt_Files.html
_Help_Help_Help.html
_Help_Important.html
Ransom note text:
What happened to your files?
All your files are encrypted with RSA-4096, Read more on https://en.wikipedia.org/wiki/RSA_(cryptosystem)
RSA is an algorithm used by modern computers to encrypt and decrypt the data. RSA is an asymmetric cryptographic algorithm. Asymmetric means that there are two different keys. This is also called public key cryptography, because one of the keys can be given to anyone:
1 - We encrypted your files with our "Public key"
2 - You can decrypt, the encrypted files with specific "Private key" and your private key is in our hands ( It's not possible to recover your files without our private key )
Is it possible to get back your data?
Yes, We have a decrypter with all your private keys. We have two options to get all your data back.
Follow the instructions to get all your data back:
OPTION 1
Step 1 : You must send us 3 Bitcoin(s) for each affected system
Step 2 : Inform us in panel with hostname(s) of the system you want, wait for confirmation and get your decrypter
OPTION 2
Step 1 : You must send us 7 Bitcoin(s) for all affected system
Step 2 : Inform us in panel, wait for confirmation and get all your decrypters
Our Bitcoin address is: xxxxxxxxxxx
BE CAREFUL, THE COST OF YOUR PAYMENT INCREASES $10,000 EACH DAY AFTER THE FOURTH DAY
Access to the panel ( Contact us )
The panel address: http://xbt4titax4pzza6w.onion/xxxx/
Alternative addresses
https://xbt4titax4pzza6w.onion.pet/xxxx/
https://xbt4titax4pzza6w.onion.to/xxxx/
Access to the panel using Tor Browser
If non of our links are accessible you can try tor browser to get in touch with us:
Step 1: Download Tor Browser from here: https://www.torproject.org/download/download.html.en
Step 2: Run Tor Browser and wait to connect
Step 3: Visit our website at: panel address
If you're having a problem with using Tor Browser, Ask Google: how to use tor browser
Wants to make sure we have your decrypter?
To make sure we have your decrypter you can upload at most 3 files (maximum size allowance is 10 MB in total) and get your data back as a demo.
Where to buy Bitcoin?
The easiest way is LocalBitcoins, but you can find more websites to buy bitcoin using Google Search: buy bitcoin online
To read the original article: