RobinHood
RobinHood is a ransomware family/group referenced in the provided content as an early example of a bring-your-own-vulnerable-driver (BYOVD) attack.
Profile source: Mallory opens in a new tabRobinHood
Family profile
RobinHood is a ransomware family/group referenced in the provided content as an early example of a bring-your-own-vulnerable-driver (BYOVD) attack. In February 2020, the RobinHood ransomware group was reported to have weaponized an exploit into an endpoint detection and response (EDR) killer. The content specifically cites RobinHood as an example of ransomware operators using BYOVD techniques to disable security tooling prior to ransomware deployment. It is also listed alongside other malware in discussion of signed kernel drivers as an attack vector into the Windows kernel. The provided material does not include additional high-confidence details on RobinHood’s infection vector, specific targets, associated threat actor attribution beyond the ransomware group name, or indicators of compromise.
Ransomware.live
Operational record
Reporting
Research mentioning RobinHood
Not very gentlemanly: Analyzing a zero-day exploit used by The Gentlemen ransomware to disable targets’ EDRs | Expel
In February 2020, the exploit was picked up by RobinHood ransomware group, who weaponized it into an EDR killer.
Signed driver malware moves up the software trust chain | SOPHOS
Two examples of BYOVD attacks include the Robinhood ransomware in 2020 and most recently the BlackByte ransomware.