Inactive ransomware operator
← All groupsrobinhood
aka HelpYemen · 1 victims indexed · first seen 4 years ago · last activity 4 years ago
1
Victims indexed
#312 of 348 tracked operators
<1m
Active period
Dec 2021 → Dec 2021
—
Countries hit
At a glance
- Status
- inactive
- Aliases
- HelpYemen
- First seen
- 4 years ago
- Last activity
- 4 years ago
- Onion sites
- 1 known endpoint
About
The RobinHood ransomware group is a financially motivated cybercriminal organization that emerged around 2019, though the specific variant referenced here was first observed in December 2021. The group is suspected to operate independently rather than as a Ransomware-as-a-Service model, with limited public documentation regarding their country of origin or affiliations with other threat actors. RobinHood operators typically gain initial access through exploitation of public-facing applications and vulnerable remote desktop services, deploying their custom ransomware payload that encrypts files and demands payment for decryption keys. The group has historically targeted government entities and healthcare organizations, with their most notable attack occurring against the City of Baltimore in May 2019, which resulted in significant operational disruption and recovery costs exceeding $18 million, though this earlier campaign appears distinct from the 2021 variant. Given the limited victim count and recent emergence of this particular RobinHood variant, current intelligence suggests minimal ongoing activity, though definitive assessment of their operational status remains unclear due to insufficient public reporting on recent campaigns.
References
20 linksExternal sources curated by the MISP threat-intel community.
- cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf
- arstechnica.com/information-technology/2019/05/baltimore-city-government-hit-by-robbinhood-ransomware/
- blogs.quickheal.com/a-new-ransomware-goodwill-hacks-the-victims-for-charity-read-more-to-know-more-about-this-ransomware-and-how-it-affects-its-victims/
- download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf
- go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf
- goggleheadedhacker.com/blog/post/12
- krebsonsecurity.com/2019/06/report-no-eternal-blue-exploit-found-in-baltimore-city-ransomware/
- news.sophos.com/en-us/2020/02/06/living-off-another-land-ransomware-borrows-vulnerable-driver-to-remove-security-software/
- news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/
- statescoop.com/baltimore-ransomware-crowdstrike-extortion/
- twitter.com/VK_Intel/status/1121440931759128576
- bleepingcomputer.com/news/security/a-closer-look-at-the-robbinhood-ransomware/
- bleepingcomputer.com/news/security/ransomware-exploits-gigabyte-driver-to-kill-av-processes/
- boll.ch/datasheets/WG_Threat_Report_EN.pdf
- crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/
- microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/
- microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/
- sentinelone.com/blog/robinhood-ransomware-coolmaker-function-not-cool/
- welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/
- ransomlook.io/group/robinhood
Timeline
1 months2021-12-01T00:00:00+00:002021-12-01T00:00:00+00:00
MITRE ATT&CK
3 techniques · 3 tacticsTactics
Initial AccessExecutionImpact
Recent victims
Loading…
Onion infrastructure
1 known- http://robinhoodleaks.tumblr.com
Source
Updated 4 years agoData on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.