Quote:

Breakdown of RobbinHood Ransomware – Attack Patterns, Infiltration, and Obfuscation

Riddle me this: what bears the name of a famous English, tights-wearing rogue but keeps the spoils instead of handing them out to the downtrodden? No, it’s not Robin Hood’s evil twin, but a new type of ransomware that’s slowly rising through the malware ranks.

This novel and audacious malicious agent is called the RobbinHood Ransomware (i.e. no, it’s not a typo) and, so far, it has managed to rake up something of a small treasure after hitting three North American cities. Today’s article is dedicated to this nascent ransomware. I’ll be covering methods of dissemination, infection mechanisms, occurrences, and countermeasures. Enjoy and stay safe out there!

What is the RobbinHood Ransomware?

The RobbinHood Ransomware belongs to the same family as Emotet, IceID, Mailto, Maze, REvil, Trickbot, and MedusaLocker. First spotted in the wild in 2019, RobbinHood has quickly managed to make a name for itself by compromising multiple networks from Maryland, Greenville, and Baltimore. The authorities estimated that the creators of RobbinHood managed to extort at least $1.5 million from their victims. Quite a performance, considering its relatively short time span.

As far as the name’s concerned, RobbinHood has nothing in common with the English crusader turned outlaw other than robbing the rich. This ransomware has been observed to earmark HVTs such as large companies or institutions. Unlike the dashing, bow-bearing rogue, the creators of this ransomware don’t hand out the spoils to the poor. They just keep them for themselves.

Since the RobbinHood ransomware only attacks high-value targets, the ransom is calculated accordingly. One estimate shows that the victims are asked to pay anywhere between 3 and 13 BTC. The prices are computed depending on the number of affected endpoints. For instance, the victims may be asked to pay 3 BTC ($40,538) for a single infected machine and up to 13 BTC ($176,000) for a network.

Apart from demanding a hefty ransom from its victims, the RobbinHood ransomware is also notorious for its sarcastic ad-libs.  For instance, the variant that affected Greenville and Baltimore City included a seemingly honest piece of advice: “just pay the ransomware and end the suffering then get better cybersecurity.” Great advice, but at what cost?

Naturally, one would ask what would ensue if the victim decides not to pay the ransom? As mentioned in the attached screenshot, the data would be forever lost and, on top of that, the ransom bumps up against another $10,000 with each passing day.
 
RobbinHood ransomware’s implications are not limited to locking sensitive files. I’ll tackle this in the next section.

Breakdown of RobbinHood Ransomware – Attack patterns, infiltration, and obfuscation techniques

So far, this ransomware variant has lived up to its name by targeting large companies or institutions. It has been observed that RobbinHood’s favorite infiltration vector is the RDP port. The black-hat hackers usually gain access to the network by brute-force attacking the Remote Desktop Protocol port. In other cases, the ransomware used trojans in order to achieve the same goal. Curiously enough, Heimdal™ Security along with many cybersecurity experts have detected a surge in brute-force attacks, the most recent one taking place mid-October. No correlation has been established between the increase in brute-force attacks and RobbinHood ransomware.

After gaining access to the machine or network, the ransomware will attempt to gain enough traction to compromise key systems. Although highly disputed, it would seem that in Baltimore, Maryland, and Greenville, the ransomware prompted the affected systems to rubberstamp the installation of the kernel driver from the Taiwanese computer hardware manufacturer Gigabyte. The driver in question is Gdrv.sys, a low-level driver that executes Gigabyte Tools.

CVE Detail’s entry on the vulnerability earmarked CVE-2018-1932 shows that the kernel driver has been used in other graphics-related applications such as AORUS Graphics Engine (version 1.57 and earlier), OC Guru II (version 2.08), and XTREME GAMING ENGINE (version 1.26 and earlier).

Digital forensics shows that a vulnerability in the driver’s code can be used to trigger a ring0-memcpy functionality. The aforementioned functionality is employed in the Driver Signing Enforcement process. It’s only natural for RobbinHood’s creators to take advantage of this flaw because tampering with the DSE is the easiest way (well, not that easy) to abscond from any malware.

To summarize:

RobbinHood gains access through trojans or by brute-forcing the RPD port. Full system compromise is achieved by auto-installing a flawed (and digitally signed) Gigabyte motherboard driver. Since the device is signed by the vendor, it will not ask for the user’s approval. Once the ‘Gaining Access’ phase is complete, the ransomware will move in to remove or disable key-processes through the Gdrv.sys vulnerability. To avoid detection and take full control of the system, RobbinHood temporarily suspends and/or disables 181 system services. Furthermore, some behavioral analyses reveal that this ransomware strain also removes backup programs (if present) and disables AVs or antimalware software.  
...