The hunt hypothesis detects potential ransomware activity associated with the Robbinhood ransomware variant, specifically targeting healthcare and critical infrastructure systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate ransomware threats before they cause significant operational disruption.
KQL Query
DeviceFileEvents
| where Timestamp > ago(7d)
| where SHA1 in('0b15b5cc64caf0c6ad9bd759eb35383b1f718edf3d7ab4cd912d0d8c1826edf8',
'31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427')
id: cd718abb-96e4-436e-9a6c-63c09d40cc5c
name: robbinhood-driver
description: |
This query was originally published in the threat analytics report, Ransomware continues to hit healthcare, critical services. There is also a related blog.
Robbinhood is ransomware that has been involved in several high-profile incidents, including a 2019 attack on the city of Baltimore, Maryland. Robbinhood operators often employ a distinctive defense evasion technique, where they load a vulnerable driver on to a target and exploit it, in order to turn off security software -- essentially using the driver as malware.
The following query detects if a device contains the vulnerable drivers. These are often, but not always, implanted on the target by operators seeking to use this technique to turn off security software.
For a query that detects a later stage of this technique, see Detect security evasion related to the Robbinhood ransomware campaign.
References:
https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/
https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Robinhood.A&ThreatID=2147735370
https://www.nytimes.com/2019/05/22/us/baltimore-ransomware.html
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileEvents
tactics:
- Execution
- Defense evasion
query: |
DeviceFileEvents
| where Timestamp > ago(7d)
| where SHA1 in('0b15b5cc64caf0c6ad9bd759eb35383b1f718edf3d7ab4cd912d0d8c1826edf8',
'31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427')
| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Job
Description: A legitimate scheduled backup job using Veeam Backup & Replication or Commvault may trigger the rule due to similar file access patterns.
Filter/Exclusion: Exclude processes associated with known backup tools using the process.name field, e.g., veeam.exe or cvbackup.exe.
Scenario: Windows Update or Patching Task
Description: A Windows Update or Microsoft Endpoint Manager (MEM) patching task may trigger the rule due to file system activity during updates.
Filter/Exclusion: Exclude processes with task.name containing “Windows Update” or “Patch” and filter by process.parent_process related to svchost.exe or taskeng.exe.
Scenario: Database Maintenance Task
Description: A SQL Server Agent Job running maintenance tasks (e.g., index rebuilds, backups) may trigger the rule due to file system access.
Filter/Exclusion: Exclude processes with process.name like sqlservr.exe or sqlagent.exe and filter by process.parent_process associated with SQL Server services.
Scenario: Log File Rotation or Archiving
Description: A log management tool like Splunk, ELK Stack, or Logstash may rotate or archive logs, which could resemble ransomware activity.
Filter/Exclusion: Exclude processes with process.name such as splunkd.exe, logstash.exe, or kibana.exe and filter by file.path containing known log directories.
Scenario: Admin Task for File Integrity Monitoring
Description: An admin task using Tripwire or OSSEC to check file integrity may trigger the rule due to file access or modification.