RobinHood Ransomware Removal Guide

Do you know what RobinHood Ransomware is?

RobinHood Ransomware is a malicious program that tries to pass for a social justice warrior. However, no matter what the reasons behind this attack might be, the bottom line is that infection aims to make some money for its creators. It requires the infected users to pay the ransom fee in order to get their files back. If you were affected by this infection, you will have to remove RobinHood Ransomware and look for ways to restore your files. Unfortunately, there is no public decryption tool available, so you will have to rely on a file backup.

Now, why are we saying that this ransomware is fighting a war on social justice? That is because of its ransom note that covers the entire screen once the infection has taken over the system. It says that RobinHood Ransomware attacks mainly computer systems in Saudi Arabia for political reasons. Supposedly, the Saudi users need to pay for the crimes their country has committed against Yemen, but we certainly know that malware infections and malicious files do not recognize national borders. Therefore, this infection COULD be targeting mostly Saudi Arabian users, but if you cross the path of the distribution campaign, you might get exposed to this infection, too.

According to our research, this ransomware spreads via malicious email messages and insecure Remote Desktop Protocol connections. So it means that the installer file could reach the target system either indirectly (through the spam) or directly (through the remote desktop client). When RobinHood Ransomware arrives at the target system in an email attachment, the user still has a choice to leave the attachment there. You can simply say no to the download. It is a lot easier to protect yourself from a ransomware infection that most of the users think. However, if the infection comes from the remote desktop connection, it might prove to be harder to protect your computer.

When this program attacks a target system, it launches a full-fledged encryption that affects the majority of your files. The ransomware itself is coded in the .NET language, and the program makes use of the AES encryption algorithm to encrypt user’s files. The key that is used to “lock up” your files is later on encrypted once more with the RSA 2048 encryption algorithm. As a result, it is virtually impossible to decrypt the files unless you have the original decryption key that only the criminals behind this infection have.RobinHood Ransomware Removal GuideRobinHood Ransomware screenshot
Scroll down for full removal instructions

Luckily, the infection does not encrypt all files on your system. Actually, while the encryption takes place, it skips folders and directors with the word WINDOWS in its string. It means that your system files should remain intact after the encryption. Also, the encryption does not affect files that have the .exe, .dll, .tmp, and .robinhood extensions. Of course, as you can probably tell, the .robinhood extension is the appendix added to all the encrypted files by the ransomware infection. Also, the fact that the program does not touch several files means that you may still launch most of the programs installed on your PC, even after the encryption.

The program is also very explicit about what it wants from you. It says that you need to pay 5 BTC (approximately $17,200USD) “to help Yemeni people,” and the program gives you 72 hours to collect the ransom money. Needless to say, the ransom sum is ridiculous, and unless the program infects some corporation, it is highly unlikely that individual users would pay so much to retrieve your files.

What’s more, it is possible to get your files back without paying the ransom, too. In fact, this is what the security experts encourage in the first place. You can delete the infected files, and then transfer healthy copies of your data back to your hard drive from an external backup. You probably back up your files regular on an external hard drive. Or perhaps you have a cloud storage disk where you upload your most recent files. Computer security experts often emphasize the important of file backup, so we believe that you have more than just one place where you save most of your files by default.

Meanwhile, as far as the ransomware removal is concerned, you can get rid of this program by following our removal guide. For a full removal, do not forget invest in a security program that will take care of your computer’s safety in the future.

How to Remove RobinHood Ransomware

  1. Press Ctrl+Shift+Esc and Task Manager will open.
  2. Open the Processes tab and highlight suspicious processes.
  3. Press the End Process button.
  4. Delete the ROBINHOOD-TIMER.exe file from the directory where you executed the malware.
  5. Press Win+R and type %TEMP%. Click OK.
  6. Delete the luncher.exe and updater.exe files.
  7. Press Win+R and type %SYSTEMROOT%\System32\taskschd.msc. Press OK.
  8. Delete the MicrosoftSErvices point of execution.
  9. Remove the ransom note from your PC.
  10. Scan your system with a reliable antispyware tool.

In non-techie terms:

RobinHood Ransomware was created by cyber criminals who want to earn as much money as possible. Although it seems that this program has political purposes, innocent users could be easily affected by this program, too. Therefore, you have to do everything in your power to remove RobinHood Ransomware from your system, and then look for other ways to restore your files. You need to make sure that your system is protected against similar intruders in the future.