S0400: RobbinHood
RobbinHood is ransomware that was first observed being used in an attack against the Baltimore city government's computer network.[1][2]
Analyst context for executives and security teams
RobbinHood is a Windows ransomware family documented by ATT&CK and first observed in a public-sector incident affecting Baltimore city government. Its ATT&CK relationships make it operationally important because they point beyond file encryption alone: command-shell execution, removal of network share connections, service stopping, inhibition of recovery, and possible impairment of defensive tools. For leaders, this is a resilience issue as much as a malware issue: can the organization keep critical services operating, preserve recovery options, and retain visibility during a ransomware event?
Executive priority
Prioritize RobbinHood as a ransomware resilience validation case for Windows environments. The business decision value is to confirm that endpoint visibility, service monitoring, backup/recovery safeguards, and incident response procedures remain effective when ransomware attempts to stop services, remove share connections, impair tools, and encrypt data. This also supports audit and compliance evidence around recovery readiness, logging, and control effectiveness, but local validation is required because ATT&CK provides no official detection guidance for this malware entry.
Technical view
SOC, detection engineering, and IR teams should map coverage to the supplied ATT&CK relationships: T1059.003 Windows Command Shell for execution, T1070.005 Network Share Connection Removal for cleanup of SMB/share usage, T1486 Data Encrypted for Impact, T1489 Service Stop, T1490 Inhibit System Recovery, and T1685 Disable or Modify Tools. Validate Windows endpoint telemetry for command shell activity, service stop events, network share connection changes, recovery-control changes, security tool tampering, and high-volume file modification/encryption indicators. Because official detection is not provided, detections should be behavior-led rather than name-led.
Likely telemetry
- Windows process creation and command-line telemetry, especially cmd.exe activity
- Windows service control events and service stop/disable records
- Endpoint security or EDR events showing process termination, tool impairment, or sensor health degradation
- File system telemetry showing rapid or unusual file modification consistent with encryption impact
- Network share and SMB connection activity, including share connection removal where logged
Detection direction
- Validate behavioral detections for Windows command shell execution followed by service control, recovery inhibition, tool impairment, or encryption-like file activity.
- Tune service-stop detections to distinguish administrative maintenance from broad or unusual stopping of important services, especially when followed by file encryption behavior.
- Monitor for removal of network share connections in suspicious sequences, but account for legitimate administrative use of share cleanup commands.
- Alert on security tool degradation or loss of endpoint sensor health in proximity to ransomware-like activity.
- Do not rely on a RobbinHood malware name alone; ATT&CK supplies no official detection text, so coverage should be tested against the related behaviors.
Mitigation priorities
- Confirm resilient, tested backups and recovery processes that are protected from endpoint-level tampering.
- Harden and monitor Windows administrative capabilities that can invoke command shell, stop services, or change recovery settings.
- Protect endpoint security tooling from unauthorized stopping, modification, or removal, and monitor sensor health continuously.
- Limit unnecessary share access and review administrative use of SMB/network shares in ransomware response planning.
- Prepare IR runbooks for rapid containment, service restoration, evidence preservation, and executive decision-making during ransomware-driven service disruption.
Analyst notes and limits
The most decision-relevant context in the supplied ATT&CK data is the combination of ransomware impact and relationships to execution, stealth, defense impairment, recovery inhibition, and service stopping. The Carbon Black reference title notes that RobbinHood stopped 181 Windows services before encryption, which reinforces the need to monitor service disruption as part of ransomware coverage. The Baltimore Sun reference supports the public-sector incident context, but this take does not infer current targeting or exposure.
ATT&CK provides no official detection guidance, aliases, labels, or tactics directly on the RobbinHood object. The malware platform is Windows, while several related techniques list broader ATT&CK platforms in the supplied relationship context; defensive validation should be scoped to the local Windows environment unless other platform evidence exists. No attribution, active exploitation status, or guaranteed detection coverage is supported by the supplied fields.
RobbinHood
RobbinHood is ransomware that was first observed being used in an attack against the Baltimore city government's computer network.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1490 | Inhibit System Recovery | RobbinHood deletes shadow copies to ensure that all the data cannot be restored easily.CitationCarbonBlack RobbinHood May 2019 |
| Enterprise | T1489 | Service Stop | RobbinHood stops 181 Windows services on the system before beginning the encryption process.CitationCarbonBlack RobbinHood May 2019 |
| Enterprise | T1070.005 | Network Share Connection Removal Sub-technique | RobbinHood disconnects all network shares from the computer with the command |
| Enterprise | T1685 | Disable or Modify Tools | RobbinHood will search for Windows services that are associated with antivirus software on the system and kill the process.CitationCarbonBlack RobbinHood May 2019 |
| Enterprise | T1486 | Data Encrypted for Impact | RobbinHood will search for an RSA encryption key and then perform its encryption process on the system files.CitationCarbonBlack RobbinHood May 2019 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | RobbinHood uses cmd.exe on the victim's computer.CitationCarbonBlack RobbinHood May 2019 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 628238fcf08a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
CarbonBlack RobbinHood May 2019
Lee, S. (2019, May 17). CB TAU Threat Intelligence Notification: RobbinHood Ransomware Stops 181 Windows Services Before Encryption. Retrieved July 29, 2019.
Open source URL -
[2]
BaltimoreSun RobbinHood May 2019
Duncan, I., Campbell, C. (2019, May 7). Baltimore city government computer network hit by ransomware attack. Retrieved July 29, 2019.
Open source URL -
[3]
mitre-attack S0400Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.