By Yaelle Harel, Threat Prevention Technical Product Manager, published December 10th, 2019
The city of Baltimore was held hostage by RobbinHood ransomware in May 2019.
According to the BBC, the ransomware locked 10,000 city government computers, blocked government email accounts, and disabled online payments to city departments for weeks. The malware demands payment in exchange for decryption tools.
In this use case, we will demonstrate the investigation of “RobbinHood” using the MITRE ATT&CK framework.
MITRE ATT&CK Framework
MITRE ATT&CK is a knowledgebase of adversary tactics and techniques.
It has become a useful tool across many cyber security use cases such as Threat Hunting, Red Teaming and Threat Intelligence Enrichment. The framework has been frequently discussed at cyber security conferences such as RSA, Black Hat and Gartner Security and Risk Management Summit.
The framework provides intelligence information based on real-world observation and therefore it is very useful for attacks investigations.
The Seven Tactics used by RobbinHood
Check Point’s research team simulated the RobbinHood attack while running Sandblast Agent in detect mode, in order to analyze the behavior of the ransomware. Seven MITRE ATT&CK tactics used by the ransomware were observed by Sandblast Agent:
