Severity scale:  

Remove RobbinHood ransomware (Virus Removal Instructions) - Oct 2019 update

removal by Linas Kiguolis - - | Type: Ransomware

RobbinHood ransomware is file locking malware that cost Baltimore city $4.6 million in recovery costs

RobbinHood ransomwareRobbinHood ransomware virus is the threat that delivers many files to the system and informs about encryption, ransom amount and possible solutions for getting your files back.

RobbinHood ransomware is crypto-extortion based malware that mainly targets large scale corporations and municipalities, encrypting entire networks that are connected to the initial host. Baltimore, as well as Greenville cities, both suffered significant losses due to ransomware attack – hackers initially demanded $76,000 in Bitcoin, claiming that the fee will increase by $10,000 each day.[1] While no ransom was paid, Baltimore put in a staggering $4.6 million in recovery costs, with $5.4 still pending to be invested till the end of the year.

Initially, it was unknown how RobbinHood ransomware spreads, but later experts found out that hackers either proliferate file locking virus via already infected computer or via insecure Remote Desktop connections – a technique that had been gaining popularity in recent years among ransomware developers.

After encrypting files with the RSA + AES encryption algorithms and appending Encrypted_[random 16].Enc_robbinhood extension to files,[2] RobbinHood virus developers demand the ransom payment for the recovery of locked data. The ransom is either 0.8 BTC or 13 BTC, depending on the number of affected devices. Unlike most ransomware viruses, RobbinHood drops four ransom notes under the following names:

  • note _Decryption_ReadMe.html
  • _Help_Important.html
  • _Decrypt_Files.html
  • _Help_Help_Help.html
Name RobbinHood
First spotted April 2019 – attack on Greenville city was among the first ones seen in the wild
Alternative name Enc_RobbinHood ransomware
Type Cryptovirus
Notable targets Baltimore and Greenville cities
File modification All the files encrypted by RobbinHood get their names completely scrambled in the following pattern: RoEncrypted_[random 16].Enc_robbinhood
Encryption method Ransomware uses AES key to encrypt each file individually and each of those keys are then repeatedly encrypted with RSA public key
Ransom amount Ransom sizes vary. In some instances, hackers demanded 0.8 BTC  for a single computer decryption while full network recovery would cost 13 BTC. In other cases, crooks asked for 3 BTC and 7 BTC, respectively
Ransom notes Surprisingly, this malware drops four ransom notes, which is pretty unusual – _Decryption_ReadMe.html, _Help_Important.html;  _Decrypt_Files.html; _Help_Help_Help.html
Distribution Ransomware is spread either as a secondary payload on already infected computer or by abusing inadequately protected Remote Desktop connections
Elimination tips Get a reputable anti-malware program for the proper RobbinHood ransomware removal. Use Reimage Reimage Cleaner Intego for system cleaning

Since RobbinHood ransomware is a member of the cryptovirus category, you should be aware of the possible damage for encrypted data or even privacy issues and data or money loss. Especially, if you decide to pay the ransom and contact these virus developers.[3]

While RobbinHood ransomware virus mainly targets large organizations or even governments, health industries, and institutions,[4] it does not mean that home users are safe from this infection. Be aware that malware authors could use various infection means, so the target machine could be selected completely randomly.

RobbinHood ransomware besides the file encryption can:

  • install programs, files;
  • disable processes and other functions;
  • run additional malicious processes;
  • alter registry keys or add new ones;
  • steal information stored on the machine;
  • delete or damage files.

RobbinHood ransomware virusRobbinHood ransomware is the cryptovirus that demands either 0.8 or 13 Bitcoins for the decryption.

However, the main symptom of this RobbinHood ransomware is data encryption and ransom demand. The changed name can indicate data that got encoded. Once files get unreachable and locked, the ransom note – _Decryption_ReadMe.html delivers the following message:

What happened to your files? 
All your files are encrypted with RSA-4096, the Read more on 
the RSA is an algorithm Used by modern computers to the encrypt and decrypt the data the. RSA is an asymmetric cryptographic algorithm. Asymmetric means that there are two different keys. This is also called public key cryptography, because one of the keys can be given to anyone: 
1 – We encrypted your files with our ”  Public key” 
2 – You can decrypt, the encrypted files with specific “Private key” and your private key Our phone hands in is (It's not Possible to recover your files is the private key without Our) 
is Possible IT to the get back your data?
Yes, we have a private keys. Data back options. 
Follow the instructions to get all your data back: 
Step 1: You must send us 0.8 Bitcoin (s) for each affected system 
Step 2: Inform us in panel with hostname ( s) of the system you want, wait for confirmation and get your decrypter 
Step 1: You must send us 13 Bitcoin (s) for all affected system 
Step 2: Inform us in panel, wait for confirmation and get all your decrypters 

The panel to the Access (Contact us) 
of The panel address: http://xbt4titax4pzza6w.onion/EvcNuvq4gckb/ 
Alternative addresses The 
– – 
the Access to the panel using the the Tor Browser 
the If the non of Our links are accessible Template you CAN tor's browser the try to the get in touch with us:
the Step 1: Download Tor Browser from here: . html.en 
Step 2: Run the Browser Browser and wait for connect 
Step 3: Go to the 
Google Browser, Ask Google: how to use the browser 
Wants to make sure we have your decrypter?
You can upload at most 3 files (maximum size allowance is 10 MB in total) and get your data back as a demo. 
Where to buy bitcoin? 
The easiest way is to find bitcoin using Google Search: buy bitcoin online  

RobbinHood ransomware developers as any other cybercriminals encourage people to pay the demanded ransom and guarantees the decryption. However, these people are malicious, and the test decryption that may be offered is not a good idea. This is the trick to make developers look more trustworthy.

You need to get a reputable anti-malware tool and remove RobbinHood ransomware instead. This method is recommended by many experts[5] all over the world because ransomware should be removed alongside all the programs and files. A full system scan that antivirus program can offer is the best solution.

RobbinHood ransomware removal using anti-malware tools allows seeing all potential threats and delete them with one program. AV program offers a full system scan and a security check, other features. Employ malware-fighting tool and clean the system entirely. We can also recommend using Reimage Reimage Cleaner Intego, a program that helps with virus damage and system issues.

RobbinHood ransomware encrypted files

Hackers behind RobbinHood included the Baltimore and Greenville incidents as an examples in the ransom note

One of the newest  RobbinHood ransomware variants came with a little bit more extra on its ransom note. It seems like malicious actors are trying to build up a reputation among its victims and the cyberinimal world, as they are eager to mention the most prolific incidents that involved their malware.

The attack on Baltimore occurred on May 7, 2017, and crooks asked for $76,000 to decrypt all the impacted computers and stored data on them. They also noted in the ransom note that, after four days, the ransom will be increased by $10,000 daily. Baltimore did not pay the ransom in the end, but it cost the city $4.6 million in recovery costs so far – officials said that another $5.4 million will be invested soon. According to some sources, RobbinHood attack cost the city $18 million by June.[6] However, the impact this large was not only due to the ransomware attack only – the way it was handled, along with lackluster of security measures prior to the incident.

The colossal losses boasted the confidence of hackers behind RobbinHood ransomware, so much so that they now include the names of the highly publicized incidents in the ransom note. They now claim that the keys that can unlock the compromised files will be deleted within 10 days after the initial infection, although also demand victims to stay away from the FBI and other sources that could help them with the recovery process. According to crooks. the recovery is “impossible”:

In summery, you can't read or work with your files, But with our help you can recover them.
It's impossible to recover your files without private key and our unlocking software (You can google: Baltimore city, Greenville city and RobbinHood ransomware)

While it is true that no decryption tool for RobbinHood ransomware currently exists, security experts are continuously working on ransomware decryptors all the time. However, there is no guarantee that such tool will eventually be made. As of now, the only way to recover data is by using backups, trying third-party recovery software, or paying RobbinHood authors and hoping for a working decryptor. As usual, the latter is highly discouraged.

RobbinHood ransomware new variantRobbinHood ransomware developers are now mentioning the notorious cases of Baltimore and Greenville in their ransom note, possibly to establish as a high-profile criminal gang

Unprotected RDP connections and other malware causes ransomware infections

There are many different ways how ransomware developers can infect computers, such as using exploits, fake updates, software cracks, spam emails, etc. However, because this malware strain mainly targets organisations and cities, relying on malicious files placed on the internet is simply ineffective. Therefore, more an more high-profile cybercriminals rely on targeted method of infection, and Remote Desktop insecure connections are among the primary ones.

Therefore, if you are using RDP, you need to make sure that it is adequately protected. Cybercriminals scan the internet for devices that are connected to RDP via the default TCP port 3389. Once found, they use a predetermined (but automated) process that manages to brute-force itself in, allowing malicious actors to connected to the host machine remotely and install malware manually.

Therefore, it is vital to avoid using default port for RDP, use strong passwords, limit who can connect to particular connections and turning the RDP off as soon as it is not needed. Additionally, users are advised to make sure their computers are protected by robust anti-malware software at all times to avoid other malware infections which can carry secondary payloads. Finally, a proper backup systems should be implemented in all firms – the best countermeasure against ransomware attack.

Clean the machine and eliminate RobbinHood ransomware, malicious processes and other malware with one professional AV tool

Get rid of the RobbinHood ransomware virus by cleaning the system entirely. This is a great method because all additional programs can get deleted this way. Also, there is no need to have a degree in IT or any experience. 

To remove RobbinHood ransomware properly, you need to get a reputable anti-malware program and scan the machine thoroughly. Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner, or Malwarebytes are the programs that also can help with improving the general performance of your PC.

Make sure to perform a complete RobbinHood ransomware removal and then recover your files with backed up data or using the data recovery software. We have a few suggestions below as well as additional virus elimination tips.

do it now!
Reimage Happiness
Intego Happiness
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Intego, submit a question to our support team and provide as much details as possible.
Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

To remove RobbinHood virus, follow these steps:

Remove RobbinHood using Safe Mode with Networking

RobbinHood ransomware should be removed with AV tools, but enter the Safe Mode with Networking and eliminate this threat fully:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove RobbinHood

    Log in to your infected account and start the browser. Download Reimage Reimage Cleaner Intego or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete RobbinHood removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove RobbinHood using System Restore

Try System Restore feature and make the computer virus-free again:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of RobbinHood. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage Reimage Cleaner Intego and make sure that RobbinHood removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove RobbinHood from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by RobbinHood, you can use several methods to restore them:

Data Recovery Pro should be used for file restoring purposes

Data Recovery Pro can help with RobbinHood ransomware encrypted files or accidentally deleted data

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by RobbinHood ransomware;
  • Restore them.

Windows Previous Versions feature is the alternate method when file backups cannot be used

Unfortunately, System Restore should be enabled before, or Windows Previous Versions would not work

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer – method for data recovery

You can restore encrypted files with ShadowExplorer when Shadow Volume Copies are left untouched

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Decryption tool is not available for RobbinHood ransomware

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from RobbinHood and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner or Malwarebytes

Access your website securely from any location

When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. It is a hassle when your website is protected from suspicious connections and unauthorized IP addresses.

The best solution for creating a tighter network could be a dedicated/fixed IP address. If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for server or network manager that need to monitor connections and activities. This is how you bypass some of the authentications factors and can remotely use your banking accounts without triggering suspicious with each login. 

VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world. It is better to clock the access to your website from different IP addresses. So you can keep the project safe and secure when you have the dedicated IP address VPN and protected access to the content management system.

Backup files for the later use, in case of the malware attack

Computer users can suffer from data losses due to cyber infections or their own faulty doings. Ransomware can encrypt and hold files hostage, while unforeseen power cuts might cause a loss of important documents. If you have proper up-to-date backups, you can easily recover after such an incident and get back to work. It is also equally important to update backups on a regular basis so that the newest information remains intact – you can set this process to be performed automatically.

When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware strikes out of nowhere. Use Data Recovery Pro for the data restoration process.

About the author
Linas Kiguolis
Linas Kiguolis - Expert in social media

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Linas Kiguolis
About the company Esolutions


Your opinion regarding RobbinHood ransomware