It has been over a year since ransomware-as-a-service RobbinHood appeared in a major attack against the city government of Baltimore. While initially described as amateur and unsophisticated among cybersecurity pros, the ransomware has since changed in ways that make it a threat to watch.
James Jackson, an independent researcher who aided a global shipping firm in the aftermath of NotPetya and currently works for a multinational intelligence and consulting business, has been analyzing RobbinHood to trace its evolution. He discovered 19 RobbinHood binaries and linked six to confirmed attacks. The research led him to identify four distinct versions of the RobbinHood ransomware, each of which demonstrates growth in functionality and maturity.
"In a very short period of time, [RobbinHood] has rapidly advanced," Jackson says. "The fact they've escalated and refined their attack in a very short period of time, and developed an exploit with a malicious driver, indicates expertise and gearing up."
Version 0.1 of RobbinHood, used to target the cities of Baltimore and Greenville, is considered the most simplistic and unsophisticated. It functions to stop computer services that could stop it from running, encrypt local files, and deploy a ransom note demanding payment in exchange for the files' return. It's noisy and noticeable, Jackson says, and the attackers only implemented crude means from preventing security researchers from analyzing the malware in a sandbox.
"The overarching theme from version one of the malware is that it was incredibly simplistic and it was fraught with problems and errors," he explains. Despite the damage it caused Baltimore, early analysis of RobbinHood revealed "juvenile naivety that was difficult to ignore," he wrote in a blog post. From there, RobbinHood underwent a series of minor and significant changes.
There are many reasons why RobbinHood's attackers may have been motivated to improve. One driver may have been the ease of recovery. "They've realized not only is the ransomware unsophisticated and amateur, but that's having a direct impact on the profitability of this enterprise," Jackson says. Of the six Bitcoin addresses he discovered, five belonged to v0.1 and none had ever contained any funds. This could indicate early versions were not successful.
Version 0.2 appeared in mid-June 2019, slightly more advanced than its predecessor. In this edition, attackers made it harder to extract embedded text from inside the malware. Function names were obfuscated, and the text listing services to stop was encoded. The second version also tried to kill running processes before encryption and had a function to clear Windows Event Logs, though Jackson points out this never seems to execute in ransomware attacks.
RobbinHood operators waited longer to launch version 0.3, which arrived in late January 2020 with a reference to a "RobinHood2" folder and dropped the obfuscation, though embedded text was still encoded. This version was built to erase event logs and use pattern matching to find and stop services, which made it more effective in finding and disabling security software.
Jackson notes erasing event logs is interesting, as there are more important forensic artifacts they don't delete. This could indicate they are intentionally deleting evidence and are bad at it, or they're deleting evidence to hinder response. Both possibilities could be significant in profiling the group: The former indicates low sophistication; the latter, a strong "arsonist" trait, he adds.
Bringing Bigger Changes: v0.3 to v0.4
Version 0.4 appeared only a few months later, in late April, but brought the biggest change to RobbinHood since its 2019 launch. As Jackson points out in his writeup, a comparison of the internal functions in v0.1 and v0.4 revealed the two versions share only 23% of the same code.
This version references a folder dubbed "RobbinHood6.1" and brought additional functions and design improvements. It returns to using a hard-coded list of services and processes to block; however, the list was adjusted to stop services that constantly write data to a computer. This boosts the reliability of encryption, he notes, and minimizes the likelihood of data loss. Versions 0.3 and 0.4 also attempt to change all user account passwords on the system.
Between v0.3 and v0.4, RobbinHood's operators became more concerned with services that could compromise the encryption process, Jackson says. They also created and weaponized a malicious driver to handle this for them. RobbinHood attacks seen during this time exploit a legitimate and digitally signed hardware driver to delete security tools before encrypting files.
The group has demonstrated the ability to decrypt data, he adds. However, there is a higher likelihood that decryption may not be possible even with the group assistance. RobbinHood's encryption process involves using public keys to encrypt a randomly generated AES key and attacker that data to the target file. If an error occurred, the AES key may not be recoverable.
One malicious feature in v0.4 is its ability to identify and remove files prior to encryption. The logic is seemingly targeting backups; however, it may capture data victims may want decrypted. The Ryuk ransomware attackers use manual tactics to delete backups, Jackson points out as an example of another group's strategy. The automated tactic here is comparatively less effective: RobbinHood looks for files with specific extensions, which he says has a low chance of working. If they improve on their handling of backups, there may be more people forced to pay ransom.
"The execution of attackers is interesting in that it's no replacement for what the Ryuk attackers do when they manually target and destroy backup services, which is always going to be much more effective," he explains. The RobbinHood attackers "have some skills up their sleeve, but the way they execute is relatively ineffective." Jackson has not seen evidence indicating RobbinHood attackers have tried to manually identify and delete backups. He does note that the group demonstrates concern with leaving behind forensic evidence.
At the moment, there is insufficient evidence to conclude who is behind RobbinHood or where they are located, Jackson says. While there are some hints in how these attacks are launched, it's easy for operators to adjust components and techniques to mislead security researchers.
"One of the big issues with attribution is … it's so easy to put those details there on purpose or run a black-flag operation and make it seem like a malware is coming out of country X when it's coming out of country Y," he says.