New “RobbinHood” Ransomware Promises to Keep Bitcoin Payment a Secret

A new ransomware has been discovered called RobbinHood that is targeting networks and encrypting all computers on the network. Once the computers have been encrypted, the ransomware virus will request payment in bitcoins in order to decrypt a computer. It also gives the victims the option to pay a larger amount of bitcoins to decrypt the network as a whole.

The FBI has joined the investigation into the ransomware after city computers in Greenville, North Carolina was attacked. A city spokesperson stated that they have no plans to pay the ransom and that the FBI has brought in experts to assist in the recovery.

In a tweet the City of Greenville (@GreenvilleGov) stated:

“It has been determined that the City’s network has become infected with a ransomware virus. City staff is working diligently to determine the source and the extent of this infection. For the time being, the City has shut down the majority of its servers.”

Little is known about the ransomware and no sample of it has been located. On the ransom note seen by Bleeping Computer, the attackers ask for 3 bitcoins for each “affected system” or 7 bitcoins for “all affected systems”. The note also warms victims against inaction, stating:

“be careful, the cost of your payment increases $10,000 each day after the fourth day”

The current addresses used in the ransom note are:

http://xbt4titax4pzza6w.onion/
https://xbt4titax4pzza6w.onion.pet/
https://xbt4titax4pzza6w.onion.to/

One rather unusual aspect of the ransom note is that it stresses that they care about the victim’s privacy, stating:

“I want to mention that your privacy is important for us, all of your records including IP address and Encryption keys will be wiped out after your payment. Also the bitcoin address you should pay to, is generated specifically for you and nobody knows about it.”

We can take from this that the attackers are trying to make payment seem like a more attractive option to the victims. When an attack like this occurs, the business wants their systems back and quickly, which often makes it tempting to pay since the more time the systems are locked, the more the business operation suffers. However, most people try to resist this since who wants to pay a criminal for access to something they have stolen? Adding to this is the embarrassment that comes with admitting this is what you did. The attackers are attempting to remove the embarrassment element – saying it can be kept secret.

The ransom note continues

“There is no need to mention that our servers have no event a bit of your network data and information.”

This tactic is highly unusual in ransom notes where the attackers try to cultivate strong feelings of fear and urgency about the files held hostage, and shy away from instilling trust.