Using the MITRE ATT&CK to investigate the RobbinHood Ransomware

By Yaelle Harel, Threat Prevention Technical Product Manager, published December 10th, 2019

The city of Baltimore was held hostage by RobbinHood ransomware in May 2019.

According to the BBC, the ransomware locked 10,000 city government computers, blocked government email accounts, and disabled online payments to city departments for weeks. The malware demands payment in exchange for decryption tools.

In this use case, we will demonstrate the investigation of “RobbinHood” using the MITRE ATT&CK framework.

MITRE ATT&CK Framework

MITRE ATT&CK is a knowledgebase of adversary tactics and techniques.

It has become a useful tool across many cyber security use cases such as Threat Hunting, Red Teaming and Threat Intelligence Enrichment. The framework has been frequently discussed at cyber security conferences such as RSA, Black Hat and Gartner Security and Risk Management Summit.

The framework provides intelligence information based on real-world observation and therefore it is very useful for attacks investigations.

The Seven Tactics used by RobbinHood

Check Point’s research team simulated the RobbinHood attack while running Sandblast Agent in detect mode, in order to analyze the behavior of the ransomware. Seven MITRE ATT&CK tactics used by the ransomware were observed by Sandblast Agent:

  • Execution – Used command-line interface, API’s and other execution techniques.
  • Defense Evasion -Removed share connections in order to clean up traces.
  • Credential Access –Accessed encryption keys.
  • Discovery –Gathered information about the operating system and running processes.
  • Collection-Collected information from the system.
  • Exfiltration– Data was compressed.
  • Impact-Critical data was encrypted and services were stopped.

Figure 1: This chart describes the techniques used by RobinHood and groups them into tactics.

Preventing the Attack by Covering 100% of Techniques

Check Point Sandblast Agent and Check Sandblast Network both prevent the RobbinHood attack at the early stage of its execution. The Sandblast engines detect the attempt to use the command and control interface and prevents the execution of the attack. Since Check Point covers 100% of the techniques used by RobbinHood, the attacks will be blocked before any data is encrypted, even if the attacker achieves some of his tactical goals.

Analyzing RobbinHood using SandBlast Agent Forensics Reports

Check Point has recently integrated the MITRE ATT&CK matrix within its SandBlast Zero-Day protection forensic reports. Reports for Threat Emulation and Sandblast Agent now include a detailed MITRE ATT&CK Matrix with the detected adversary tactics and technique. This information can be used to investigate the incident, assess the motivation of the attacker, and the potential damage of the attack.

Check Point Sandblast Agent RobbinHood forensics report is publicly available. The report contains an overview of the attack, business impact, and more.   Analyzing attacks using the forensics report is very useful.  In the case of RobbinHood, the report draws the attack flow in an interactive graph that illustrates the way the attacker executes the techniques listed above and the connections between them.

Check Point has recently added the detail from the MITRE ATT&CK matrix to the forensics report. The matrix can be found under the Suspicious Activity section of the report. The following image is taken from the RobbinHood attack’s forensics report:

The RobbinHood forensics report is also available online. Check It Out Now!