Home Malware Programs Ransomware RobinHood Ransomware

RobinHood Ransomware

Posted: August 4, 2017

Threat Metric

Threat Level: 10/10
Infected PCs: 86
First Seen: August 4, 2017
OS(es) Affected: Windows


The RobinHood Ransomware is a Trojan that blocks your files with encryption and asks for Bitcoin payments for decoding them. The Trojan's ransom messages provide recognizable symptoms, such as claiming that the payment is on behalf of the Yemeni people, and any infection vectors may target Saudi Arabian residents in particular. Despite the unique specificity of its attacks, remote backups and anti-malware solutions are all that PC users require for defending their files and removing the RobinHood Ransomware safely.

Seeing Politics in Practice against Your Files

With human psychology being a significant weak point for attacking any PC, many con artists use creative ways of manipulating the user into doing what they want, such as giving them money. With the RobinHood Ransomware's campaign, the degree of emotional manipulation appears to coincide with the expense of the ransom it demands directly. This Trojan is justifying one of the most costly extortion attempts malware experts have ever seen as compensation for atrocities towards the citizens of Yemen.

For most of its payload, the RobinHood Ransomware (which is independent of the similarly-named Anonymous operation, OpRobinHood) commits attacks similar to those of other, file-blocking threats like Hidden Tear. It scans the PC for files of formats worth encrypting, such as documents, and enciphers them. Related symptoms may include changes to their names and extensions, along with the content no longer opening. Once it finishes this task, it generates two messages: one in text and one in an image format.

These last two files are where malware experts see the majority of the RobinHood Ransomware's unique characteristics. The messages in each are identical and claim that your media is held hostage as a result of your complicity in Saudi Arabian crimes against Yemen. The RobinHood Ransomware claims that its ransom, an extremely high five Bitcoins (about fourteen thousand USD) will compensate the Yemeni people. Alternately, the victim supposedly can send a politically activist message via 'Tweeter' (the author presumably means Twitter) and have it retweeted one hundred times.

Keeping Outlaws from Their Plunder

The RobinHood Ransomware's ransom demand is far more expensive than almost any other, similar case to date, and its distribution methods imply that the author is targeting individuals rather than organizations. Consequentially, its attacks are most likely attempting to manipulate social media rather than generate profits from its victims. Whether the above is true or not, however, paying in Bitcoins or Twitter messages doesn't give the victim a certain chance of acquiring the RobinHood Ransomware's decryption solution.

For protecting your files from threats of this classification, malware experts recommend that you back them up to another, removable device or network cloud storage. Default backups, particularly for Windows systems, are often unreliable recovery choices, due to being targets for deletion by most file-encrypting Trojans. Additionally, users should be cautious about possible infection vectors aiming for Saudi Arabian residents, such as e-mail messages containing attachments with news articles supposedly relevant to that area. Anti-malware products should delete the RobinHood Ransomware automatically, but also can uninstall the RobinHood Ransomware after its attacks occur.

The industry for file-encrypting threats and the ransoms that make up their profit is one that benefits equally from poor PC security and users with easily-manipulated emotions. Even if you agree with an espoused ideology, remembering where it comes from at the time can help you avoid trusting a potential con artist like the RobinHood Ransomware's author.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



file.exe File name: file.exe
Size: 1.77 MB (1771008 bytes)
MD5: 493edc98d300ffbfe3fb8d87e970f84f
Detection count: 62
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: August 4, 2017
%USERPROFILE%\Desktop\ROBINHOOD-TIMER.exe File name: ROBINHOOD-TIMER.exe
Size: 458.75 KB (458752 bytes)
MD5: 780bdefbb37fe6df3f303304e4bf0ce9
Detection count: 12
File type: Executable File
Mime Type: unknown/exe
Path: %USERPROFILE%\Desktop
Group: Malware file
Last Updated: August 4, 2017

Related Posts

Loading...