Skip to main content

Operator dossier

robinhood (also tracked as HelpYemen) is a ransomware operator no longer publishing new disclosures. Darkfield has indexed 1 public victims claimed by this operator between December 6, 2021. The RobinHood ransomware group is a financially motivated cybercriminal organization that emerged around 2019, though the specific variant referenced here was first observed in December 2021. The group is suspected to operate independently rather than as a Ransomware-as-a-Service model, with limited public documentation regarding their country of origin or affiliations with other threat actors. RobinHood operators typically gain initial access through exploitation of public-facing applications and vulnerable remote desktop services, deploying their custom ransomware payload that encrypts files and demands payment for decryption keys. The group has historically targeted government entities and healthcare organizations, with their most notable attack occurring against the City of Baltimore in May 2019, which resulted in significant operational disruption and recovery costs exceeding $18 million, though this earlier campaign appears distinct from the 2021 variant. Given the limited victim count and recent emergence of this particular RobinHood variant, current intelligence suggests minimal ongoing activity, though definitive assessment of their operational status remains unclear due to insufficient public reporting on recent campaigns.

Recent disclosures by robinhood

All 1 indexed disclosures. Click any row for the full per-victim dossier.

See every disclosure indexed for robinhood

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Inactive ransomware operator

All groups

robinhood

aka HelpYemen · 1 victims indexed · first seen 5 years ago · last activity 5 years ago

1
Victims indexed
#318 of 364 tracked operators
<1m
Active period
Dec 2021 → Dec 2021
Countries hit

At a glance

Status
inactive
Aliases
HelpYemen
First seen
5 years ago
Last activity
5 years ago
Onion sites
1 known endpoint

About

The RobinHood ransomware group is a financially motivated cybercriminal organization that emerged around 2019, though the specific variant referenced here was first observed in December 2021. The group is suspected to operate independently rather than as a Ransomware-as-a-Service model, with limited public documentation regarding their country of origin or affiliations with other threat actors. RobinHood operators typically gain initial access through exploitation of public-facing applications and vulnerable remote desktop services, deploying their custom ransomware payload that encrypts files and demands payment for decryption keys. The group has historically targeted government entities and healthcare organizations, with their most notable attack occurring against the City of Baltimore in May 2019, which resulted in significant operational disruption and recovery costs exceeding $18 million, though this earlier campaign appears distinct from the 2021 variant. Given the limited victim count and recent emergence of this particular RobinHood variant, current intelligence suggests minimal ongoing activity, though definitive assessment of their operational status remains unclear due to insufficient public reporting on recent campaigns.

References

20 links

External sources curated by the MISP threat-intel community.

Timeline

1 months
2021-12-01T00:00:00+00:00 · 1
2021-12-01T00:00:00+00:002021-12-01T00:00:00+00:00

MITRE ATT&CK

3 techniques · 3 tactics

Tactics

Initial AccessExecutionImpact

Techniques

  • T1566Phishing
  • T1059Command and Scripting Interpreter
  • T1486Data Encrypted for Impact

Recent victims

Loading…

Onion infrastructure

1 known
  • http://robinhoodleaks.tumblr.com

Source

Updated 5 years ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time robinhood posts a victim.

Add robinhood to your watchlist — Pro pings you within 5 minutes of any new robinhood leak-site post, Telegram callout, or affiliate-rebrand inference.