RobinHood Ransomware
Posted: August 4, 2017
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
Threat Level: | 10/10 |
---|---|
Infected PCs: | 86 |
First Seen: | August 4, 2017 |
---|---|
OS(es) Affected: | Windows |
The RobinHood Ransomware is a Trojan that blocks your files with encryption and asks for Bitcoin payments for decoding them. The Trojan's ransom messages provide recognizable symptoms, such as claiming that the payment is on behalf of the Yemeni people, and any infection vectors may target Saudi Arabian residents in particular. Despite the unique specificity of its attacks, remote backups and anti-malware solutions are all that PC users require for defending their files and removing the RobinHood Ransomware safely.
Seeing Politics in Practice against Your Files
With human psychology being a significant weak point for attacking any PC, many con artists use creative ways of manipulating the user into doing what they want, such as giving them money. With the RobinHood Ransomware's campaign, the degree of emotional manipulation appears to coincide with the expense of the ransom it demands directly. This Trojan is justifying one of the most costly extortion attempts malware experts have ever seen as compensation for atrocities towards the citizens of Yemen.
For most of its payload, the RobinHood Ransomware (which is independent of the similarly-named Anonymous operation, OpRobinHood) commits attacks similar to those of other, file-blocking threats like Hidden Tear. It scans the PC for files of formats worth encrypting, such as documents, and enciphers them. Related symptoms may include changes to their names and extensions, along with the content no longer opening. Once it finishes this task, it generates two messages: one in text and one in an image format.
These last two files are where malware experts see the majority of the RobinHood Ransomware's unique characteristics. The messages in each are identical and claim that your media is held hostage as a result of your complicity in Saudi Arabian crimes against Yemen. The RobinHood Ransomware claims that its ransom, an extremely high five Bitcoins (about fourteen thousand USD) will compensate the Yemeni people. Alternately, the victim supposedly can send a politically activist message via 'Tweeter' (the author presumably means Twitter) and have it retweeted one hundred times.
Keeping Outlaws from Their Plunder
The RobinHood Ransomware's ransom demand is far more expensive than almost any other, similar case to date, and its distribution methods imply that the author is targeting individuals rather than organizations. Consequentially, its attacks are most likely attempting to manipulate social media rather than generate profits from its victims. Whether the above is true or not, however, paying in Bitcoins or Twitter messages doesn't give the victim a certain chance of acquiring the RobinHood Ransomware's decryption solution.
For protecting your files from threats of this classification, malware experts recommend that you back them up to another, removable device or network cloud storage. Default backups, particularly for Windows systems, are often unreliable recovery choices, due to being targets for deletion by most file-encrypting Trojans. Additionally, users should be cautious about possible infection vectors aiming for Saudi Arabian residents, such as e-mail messages containing attachments with news articles supposedly relevant to that area. Anti-malware products should delete the RobinHood Ransomware automatically, but also can uninstall the RobinHood Ransomware after its attacks occur.
The industry for file-encrypting threats and the ransoms that make up their profit is one that benefits equally from poor PC security and users with easily-manipulated emotions. Even if you agree with an espoused ideology, remembering where it comes from at the time can help you avoid trusting a potential con artist like the RobinHood Ransomware's author.
Technical Details
File System Modifications
Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.
The following files were created in the system:file.exe
File name: file.exeSize: 1.77 MB (1771008 bytes)
MD5: 493edc98d300ffbfe3fb8d87e970f84f
Detection count: 62
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: August 4, 2017
%USERPROFILE%\Desktop\ROBINHOOD-TIMER.exe
File name: ROBINHOOD-TIMER.exeSize: 458.75 KB (458752 bytes)
MD5: 780bdefbb37fe6df3f303304e4bf0ce9
Detection count: 12
File type: Executable File
Mime Type: unknown/exe
Path: %USERPROFILE%\Desktop
Group: Malware file
Last Updated: August 4, 2017
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.