Taking a look at RobbinHood As we previously stated, it has not been confirmed how the ransomware gains access to a network and the computer's on it. Security researcher Vitali Kremez, who reverse engineered the sample, told BleepingComputer that on execution it will stop 181 Windows services associated with antivirus, database, mail server, and other software that could keep files open and prevent their encryption. "One of the most notable ones is "cmd.exe /c net use * /DELETE /Y" since the malware does not encrypt or crawl any shares and actually disconnects from network, which indicates each variant is likely pushed into each machine via the domain controller or some other automated means (maybe via psexec)" The ransomware will now attempt to read a public RSA encryption key from C:\Windows\Temp\pub.key. The ransomware will then encrypt the AES key and the original filename with the public RSA encryption key and append it to the encrypted file. Each encrypted file will then be renamed using the format Encrypted_[randomstring].enc_robbinhood as shown below.