RobinHood Ransomware

What is RobinHood Ransomware?

RobinHood Ransomware is a malicious computer infection that wants to rip off computer users in Saudi Arabia. The reason it calls itself a “Robin Hood” ransomware is that the program makes it seem as though it embarks on a sacred mission to help the Yemeni people, and make Saudi Arabia pay for its supposed role in the war. However, such means of “retribution” are highly questionable, as it is obvious that the program has been created by cyber criminals. The criminals have been intercepted, and you need to remove RobinHood Ransomware from your system if you happen to have this infection on-board.

Where does RobinHood Ransomware come from?

As usual, ransomware applications may have more than just one distribution route. Our research specialists suggest that this program spreads through spam email attachments and remote desktop connections. If you get infected through your Remote Desktop Protocol, it means that your connection was not secure. What’s more, this distribution method requires the criminals to infect the target systems directly. Also, it could be that the system you are connected to have already been compromised, and through that connection, it automatically transfers the malicious file that will infect your computer, too.

As far as the spam email campaigns are concerned, users often forget that they can choose to not download the suspicious files. Just because the file attached to an email looks important, it does not mean you have to open it immediately. Think about it, if the email urges you to open, say, an online shopping invoice, but you have never shopped at that particular store, or you do not remember buying anything recently, it is the first sign that the email could be a scam!

Likewise, there are a lot of spam emails out there that pretend to carry official financial reports from banks and other financial institutions. However, if you do not have an account in that particular bank or if you have never encountered similar reports before, perhaps you should scan the attached file with a security program before opening it. The point is that it is often possible to avoid getting infected with RobinHood Ransomware and other similar programs, but users simply miss that chance by opening the attachments without any second thought.

What does RobinHood Ransomware do?

Upon the installation, RobinHood Ransomware will scan your system looking for the files it can encrypt. Our research shows that the program skips folders with the “Windows” string in it, and it also does not encrypt the EXE, DLL, TMP, and ROBINHOOD extension files. Of course, the ROBINHOOD extension belongs to the ransomware itself.

Once it has located all the files it can encrypt, RobinHood Ransomware uses the AES encryption algorithm to lock your data. All the data is locked with a unique AES key, and once the encryption is complete, that key is once again encrypted using another strong algorithm: RSA 2048. This double security measure is taken so that the criminals were the only ones who could restore your files.

After the infection, the program creates four files. ROBINHOOD-TIMER.exe is created in the same directory where the program was launched. This file is executed after the infection, and it displays the “Time Left” and “Help Yemen” images in the ransom note. Luncher.exe is a small file that creates a task in the Task Scheduler. The task is called MicrosoftServices, and this task runs another file for this program called updater.exe. This file runs a full system scan every 24 hours to look for new files. If new files are found, it encrypts them, too. And of course, the infection also drops the READ_IT.txt file (common to almost every other ransomware program), that sits there on your desktop, waiting for you to read the ransom note.

How do I remove RobinHood Ransomware?

Needless to say, you should not pay the ransom. It is very likely that you will not be able to do so because the infection requires an insanely huge amount of money. Instead, you should follow the instructions below to terminate RobinHood Ransomware for good. Of course, it would be a lot easier to get rid of the program and its files if you used a legitimate antispyware program. Not to mention that a security program would protect your PC from similar infection in the future.

Unfortunately, there is no public decryption key available at the moment, so it might be hard to get your files back. However, if you have a backup drive (an external disk or a cloud disk), you can delete the infected files and transfer healthy data back into your drive. Also, for more information, please feel free to leave us a comment.

Manual RobinHood Ransomware Removal

1. Press Ctrl+Shift+Esc and open Task Manager.
2. Click the Processes tab and remove suspicious processes.
3. Go to your Downloads folder.
4. Delete the ROBINHOOD-TIMER.exe file.
5. Press Win+R and the Run prompt will open.
6. Type %TEMP% into the Open box and click OK.
7. Remove the luncher.exe and updater.exe files from the directory.
8. Press Win+R and type %SYSTEMROOT%\System32\taskschd.msc.
9. Press OK and delete the MicrosoftServices task.
10. Delete the ransom note from your desktop.
11. Run a full system scan. Download Removal Tool100% FREE spyware scan and
    tested removal of RobinHood Ransomware*

Stop these RobinHood Ransomware Processes: