Home Articles All About the Newly Discovered RobinHood Ransomware

All About the Newly Discovered RobinHood Ransomware


The newly discovered RobinHood ransomware is spreading havoc in North Carolina and penalty of $10K per day is to be paid by victims. Read on to know more about this ransomware…

The world of cyber-security is full of surprises. The notorious cyber-criminals keep coming up with new ways to demand online ransom through their ransomware from their victims. A new ransomware named RobinHood has been found targeting computers within an entire network.

In a related development, the RobinHood ransomware is spreading havoc in North Carolina, which has crippled most city-owned PCs. The Federal Bureau of Investigation (FBI) is currently investigating the issue along with local authorities. The operators of the ransomware are so particular about victims’ privacy that they delete the encryption keys and IP addresses after the payment is received.

Working Mechanism
The propagation method of the ransomware is unknown. However, once it is installed, RobinHood renames the encrypted files something similar to Encrypted_b0a6c73e3e434b63.enc_robinhood.

After this, the ransomware drops 4 ransom note with different names at the same time. The names of these notes are _Decryption_ReadMe.html, _Decrypt_Files.html, _Help_Help_Help.html, and _Help_Important.html.

The ransom notes include information regarding what happened to the victim’s files, the ransom amount and links to the TOR sites. The TOR links are the ones where the victim is required to leave a message for the attackers or where they can decrypt 3 files of up to 10MB in size for free.

The ransom varies depending on the number of computers that are encrypted. “For example, in a ransom note seen by BleepingComputer, the ransom was 3 bitcoins per computer or 7 bitcoins for the network,” Bleeping Computer noted.

By the fourth day, the ransom increases by $10,000 per day if the victim fails to pay on time. Once the ransom is received, the attackers delete the encryption key and IP address to protect the privacy of the victim.

As reported by Bleeping Computer, details about the ransomware are currently scarce, and there’s no recorded sample of the same. However, as per the @MalwareHunterTeam, the encrypted files are named similar to Encrypted_%16 hex chars%.enc_robbinhood. The encryption used in this case is RSA-4096 that can be decrypted using private keys.

Payment & Promise
What makes RobinHood interesting are some surprising claims made by its creators. The ransomware’s .Onion payment page mentions that the developers care about the privacy of the users.

“Your privacy is important for us, all of your records including IP address and Encryption keys will be wiped out after your payment,” it says.

The page further mentions that the bitcoin address used for the ransom payment is created freshly for every victim, so there’s no way to track it.

Another surprising claim made by the RobinHood developers is regarding honesty. The victim can upload up to 3 files of maximum size 10MB in total and get them decrypted for free. This way users can make sure that the developers are “honest.”


Please enter your comment!
Please enter your name here

6 + = 10